Thursday, October 20, 2011

Regulatory Register

http://www.enhesa.com/en/service/regulatoryregister.aspx
Regulatory Register
Are you in compliance by accident or design?
How do you identify the regulations that apply to your particular activities, across a range of facilities around the world? How do you identify exactly what they require you to do, and how do you know when they change? Are you sure you have identified all of the applicable requirements?

The Compliance Challenge
One of the most common root-causes of non-compliance is a facility being unaware that a particular regulation is applicable to its activities.

ENHESA's Regulatory Register is a tool designed to give any facility or operational unit direct access to the legislation that affects them, as well as an overview of what it is they are required to do to comply with it. It was specifically designed to ensure conformity with the requirements of both ISO 1401 and OHSAS 18001, and can be used as a key component of the ISO 14001 and OHSAS 18001 requirement (§4.3.2) to establish and maintain a procedure to identify and have access to the applicable legal and other requirements that are applicable to the environmental aspects of its activities, products or services. To this end it provides an up-to-date registry of the applicable EHS laws and regulations of the countries and regions in which the company operates.

These days there are more things that need to be done and which need to be verified. An increasing focus on implementation and enforcement means a greater risk of being found to be out of compliance. Coupled with a trend towards greater transparency and accountability, this requires any company that wishes to be taken seriously to devote sufficient attention to EHS awareness and compliance.

The ENHESA Knowledgebase
The EHS Regulatory Register draws on a robust expert system containing the analysis of thousands of regulatory texts and their impact on business. Our wide range of international coverage allows us to maintain our expert system of EHS regulations and requirements for more than 150 countries, many of which we monitor and update on a daily basis. This provides us with an excellent source of information that the Regulatory Register draws from.

Methodology
The ENHESA EHS Regulatory Register allows users to define the scope to include only those regulations which would be applicable to the facility's operations at a given moment in time.

1. Scoping

Initially, the user goes into the dedicated website and selects the country or region of interest and may also select particular issues of interest, such as waste disposal or chemicals management. This allows the scope to be narrowed down sufficiently to generate a relevant list of tailoring questions.

2. Tailoring

The user is then presented with a selection of questions about the facility's operations which are answered using 'yes', 'no' or 'unsure' checkboxes. Where the user is not certain about a given issue, further information is given in the form of pop-up boxes which elaborate on a given point. An example of this would be a question to determine whether the facility handles hazardous waste, further information would be available to clarify what exactly is considered to be hazardous waste or in what quantities the legislation becomes applicable.

3. List of Applicable Regulations

Once these have been answered the user is presented with a list of potentially applicable EHS regulations. In this list a distinction is made between legislation which is definitely applicable, and that which could potentially be applicable, based on the answers to the questions given in the first step. Where a user did not give a definitive 'yes' or 'no' answer, the relevant legislation will appear as potentially applicable. This allows for more clarity and allows the user to further define the applicability at a later stage.

Each law or regulation that appears in the resultant list then links on to details about the main requirements that arise from it and what has to be done to stay in compliance.

4. Applicable Requirements

Perhaps the most important component of the Regulatory Register, this section allows the user to see a summary of the requirements arising from each piece of legislation. For each entry on the list, the user can see the exact citation, a description of the main content and a summary of the main requirements. The main requirements will explain what has to be done to stay in compliance. It will identify what is being regulated, what the key requirements are, and what it applies to.

5. Original Text of the Legislation

Wherever possible, each entry also provides a link to the original text of the legislation, whether this is publicly available online or it is saved separately in the ENHESA database. This gives the user instant access to the legislation.

Professional Support
If you would rather not have to go through the motions of answering scoping questions or accessing a database, ENHESA Consultants can help you. Where requested to do so, ENHESA can pre-tailor a Regulatory Register to a specific client's needs. In this case we work closely with the client to ensure that we know as much about the client's operations, products and activities as possible to be able to accurately identify all of the applicable requirements. One of our Consultants can also come on site to help you set up the Regulatory Register and integrate with your way of doing business. And of course if you have problems determining whether or not a Regulation is applicable to your operation or to know how to ensure ongoing compliance, you can use the Enhesa Helpline to get support.

Complementary Tools
More information
To find out more about the EHS Regulatory Register and how it could be of use to your business, please contact us at enhesa@enhesa.com for more information.

Enhesa Global Regulatory Register Service (Download pdf)

information governance

http://www.nhsbsa.nhs.uk/Documents/NHSBSACorporatePoliciesandProcedures/Information_Governance_Policy.pdf

searchcom;iance.com

search compiance
http://searchcompliance.techtarget.com/tip/Applying-the-ISO-27005-risk-management-standard

The Business Standards Encyclopedia

http://www.standards.bz/index.html
The Business Standards Encyclopedia

STANDARDS.BZ


Welcome to The Business Standards Encyclopedia. This is an independent portal intended to document the major busines standards for reference. We will simply outline the contents, and any other relevant information for the potential user. In this context the potential user may be a consultant, an auditor, or anyone within an organization which is using or implementing standards.

It is not an online store. Rather than attempting to emulate the many providers of standards already in situ on the internet, we will direct you to the purchase page(s) of one or more of the major suppliers for each standard.

PCI Point-to-Point Encryption

PCI Point-to-Point Encryption: Solution Requirements –
https://www.pcisecuritystandards.org/documents/nb59Y8Qqv/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf

Table of Contents
Document Changes ...................................................................................................................................................................................................... i
Preface .......................................................................................................................................................................................................................... 1
Definition of Secure Cryptographic Devices (SCDs) to be used for Point-to-Point Encryption................................................................................... 1
Definition of Account Data ........................................................................................................................................................................................... 2
Introduction: Solution Requirements for Point-to-Point Encryption...................................................................................................................... 3
Purpose of this Document ........................................................................................................................................................................................... 3
P2PE Roles and Responsibilities ................................................................................................................................................................................ 4
Table 1: At-a-Glance – Domains and Requirements for P2PE Validation – Solutions with SCD Encryption/Decryption and Key Management .. 8
Figure 1: At-a-Glance - Steps Required to Create and Validate a P2PE Solution ................................................................................................ 11
Table 2: At a Glance - Requirements and Processes for P2PE Solution Validation ............................................................................................ 12
Figure 2: At a Glance - Illustration of a typical P2PE Implementation and Associated Requirements .................................................................. 14
Domain 1: Encryption Device ................................................................................................................................................................................... 17
P2PE Requirements for Domain 1 ............................................................................................................................................................................ 17
Domain 2: Application Security................................................................................................................................................................................ 23
P2PE Requirements for Domain 2 ............................................................................................................................................................................ 24
Domain 3: Encryption Environment ......................................................................................................................................................................... 29
P2PE Requirements for Domain 3 ............................................................................................................................................................................ 30
Domain 4: Transmissions between Encryption and Decryption Environments ................................................................................................. 38
Domain 5: Decryption Environment ......................................................................................................................................................................... 39
P2PE Requirements for Domain 5 ............................................................................................................................................................................ 40
Domain 6: Cryptographic Key Operations .............................................................................................................................................................. 46
P2PE Requirements for Domain 6 ............................................................................................................................................................................ 48
Cryptographic Key Operations – Annex A: Symmetric Key Distribution using Asymmetric Techniques ....................................................... 67
Requirements for Remote Key Establishment and Distribution – Logical Security................................................................................................... 67
Requirements for Remote Key Establishment and Distribution – Physical Security................................................................................................. 75
Cryptographic Key Operations – Annex B: Key-Injection Facilities..................................................................................................................... 78
Requirements for Key-Injection Facilities .................................................................................................................................................................. 79
Appendix A: PCI DSS Validation for P2PE Merchants ........................................................................................................................................... 81
Appendix B: Glossary................................................................................................................................................................................................ 85
Appendix C: Minimum Key Sizes and Equivalent Key Strengths ........................................................................................................................

Welcome to the PCI Security Standards Council

https://www.pcisecuritystandards.org/

ABOUT THE PCI SECURITY STANDARDS COUNCIL

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Learn More

Bill C-6

canada privacy law

http://www.parl.gc.ca/HousePublications/Publication.aspx?Pub=Bill&Doc=C-6&Language=E&Mode=1&Parl=36&Ses=2

Bill C-6
Table of Contents
Summary
BILL C-6
SHORT TITLE
PART 1
PROTECTION OF PERSONAL SECTOR
Interpretation
Purpose
Application
DIVISION 1
PROTECTION OF PERSONAL INFORMATION
DIVISION 2
REMEDIES
DIVISION 3
AUDITS
DIVISION 4
GENERAL
DIVISION 5
TRANSITIONAL PROVISIONS
PART 2
ELECTRONIC DOCUMENTS
Interpretation
Purpose
Electronic Alternatives
Regulations and Orders
PART 3
AMENDMENTS TO THE CANADA EVIDENCE ACT
PART 4
AMENDMENTS TO THE STATUTORY INSTRUMENTS ACT
PART 5
AMENDMENTS TO THE STATUTE REVISION ACT
Revision
PART III
CONSOLIDATED STATUTES AND REGULATIONS OF CANADA
Interpretation
Consolidation of the Statutes and Regulations
Publication and Distribution
Effect of Consolidation
Co-publishing Agreements
PART 6
COMING INTO FORCE
SCHEDULE 1
SCHEDULE 2
SCHEDULE 3
TABLE OF PROVISIONS

International Privacy Laws

http://www.informationshield.com/intprivacylaws.html

International Privacy Laws

The following list contains a number of international privacy related laws by country and region. Wherever possible, these hyperlinks reference an English translation of the law. See also our list of U.S. Privacy Laws and other information security policy resources.

Argentina: Personal Data Protection Act of 2000 (aka Habeas Data)
Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999
(Datenschutzgesetz 2000 or DSG 2000).
Australia: Privacy Act of 1988
Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog
Brazil: Privacy currently governed by Article 5 of the 1988 Constitution.
Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at the Bugarian Data Protection Authority
Canada: The Privacy Act - July 1983
Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6)
Chile: Act on the Protection of Personal Data, August 1998
Colombia: Two laws affecting data privacy - Law 1266 of 2008: (in Spanish) and Law 1273 of 2009 (in Spanish) Also, the constitution provides any person the right to update their personal information
Czech Republic: Act on Protection of Personal Data (April 2000) No. 101
Denmark: Act on Processing of Personal Data, Act No. 429, May 2000.
Estonia: Personal Data Protection Act of 2003. June 1996, Consolidated July 2002.
European Union: European Union Data Protection Directive of 1998
EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) With a discussion here.
Finland: Act on the Amendment of the Personal Data Act (986) 2000.
France: Data Protection Act of 1978 (revised in 2004)
Germany: Federal Data Protection Act of 2001
Greece: Law No.2472 on the Protection of Individuals with Regard to the Processing of Personal Data, April 1997.
Guernsey: Data Protection (Bailiwick of Guernsey) Law of 2001
Hong Kong: Personal Data Ordinance (The "Ordinance")
Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English).
Iceland: Act of Protection of Individual; Processing Personal Data (Jan 2000)
Ireland: Data Protection (Amendment) Act, Number 6 of 2003
India: Information Technology Act of 2000
Italy: Data Protection Code of 2003
Italy: Processing of Personal Data Act, January 1997
Japan: Personal Information Protection Law (Act) (Official English Translation)
Law Summary from Jonesday Publishing
Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.
Korea - Act on Personal Information Protection of Public Agencies Act on Information and Communication Network Usage
Latvia: Personal Data Protection Law, March 23, 2000.
Lithuania: Law on Legal Protection of Personal Data (June 1996)
Luxembourg: Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data.
Malaysia - Common Law principle of confidentiality Personal data Protection Bill (Not finalized) Banking and Financial Institutions Act of 1989 privacy provisions.
Malta: Data Protection Act (Act XXVI of 2001), Amended March 22, 2002, November 15, 2002 and July 15, 2003
Morocco: Data Protection Act
Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001
New Zealand: Privacy Act, May 1993; Privacy Amendment Act, 1993; Privacy Amendment Act, 1994
Norway: Personal Data Act (April 2000) - Act of 14 April 2000 No. 31 Relating to the Processing of Personal Data (Personal Data Act)
Philippines: No general data protection law, but there is a recognized right of privacy in civil law and a model data protection code.
Romania: Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data
Poland: Act of the Protection of Personal Data (August 1997)
Portugal: Act on the Protection of Personal Data (Law 67/98 of 26 October)
Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws .
Slovak Republic: Act No. 428 of 3 July 2002 on Personal Data Protection.
Slovenia: Personal Data Protection Act , RS No. 55/99.
South Africa: Electronic Communications and Transactions Act, 2002
South Korea: The Act on Promotion of Information and Communications Network Utilization and Data Protection of 2000
http://www.internet.org.za/ect_act.html
Spain: ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data
Switzerland: The Federal Law on Data Protection of 1992
Sweden: Personal Data Protection Act (1998:204), October 24, 1998
Taiwan: Computer Processed Personal data Protection Law - applies only to public institutions. (English Translation)
Thailand: Official Information Act, B.E. 2540 (1997) for state agencies. ( Personal data Protection bill under consideration.)
United Kingdom: UK Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.
Vietnam: The Law on Electronic Transactions 2008
Regulatory Compliance » United States Data Privacy Laws

Regulatory Compliance Solutions

http://www.informationshield.com/compliance.html

Regulatory Compliance Solutions

Information security and data privacy regulations start with two common threads. First, you must adopt a set of information security and privacy policies that reduce organizational risk and protect information assets. Second, you must define and document proper roles and responsibilities to insure that critical security and privacy functions are adopted and managed.

By focusing on international standards for information security and privacy, Information Shield security and privacy products are designed to help organizations achieve a risk-based approach to corporate governance, regardless of industry or geography.

Standards-Based Approach to Regulatory Compliance

Information Shield publications enable compliance with any information security or privacy regulation, by enabling a best-practices approach to managing information that is based on international standards. Our security policy library is based on ISO 17799 (ISO 27002), the international standard for information security management, and our privacy management toolkit is based on the O.E.C.D. Privacy Principles, the international standard for privacy management. Our publications fit squarely in the model of a "unified" approach to compliance.

Specific Regulations Addressed by Information Shield

While our publications help with any compliance program, we also provide specific information to help enable compliance with a number of security and privacy regulations.

Financial Services - Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SARBOX), USA PATRIOT ACT, PCI Data Security Standard, and the Basel II Accord (EU).
Healthcare and Pharmaceuticals - HIPAA (Health Insurance Portability and Accountability Act of 1996) and FDA 21 CFR Part 11.
Infrastructure and Energy - Guidelines for FERC and NERC Cybersecurity Standards, the Chemical Sector Cyber Security Program and Customs-Trade Partnership Against Terrorism (C-TPAT).
Federal Government - Compliance with FISMA and related NSA Guidelines and NIST Standards.
Security Methodologies - Information Shield enables adoption of security and control frameworks such as ISO 1-7799, COSO and COBIT.
Consumer Protection and Data Privacy - Our publications help compliance with:
a. Children's Online Privacy Protection Act (COPPA)
b. Children's Internet Protection Act (CIPA)
c. CAN-SPAM - Federal law regarding unsolicited electronic mail.
d. BILL C-6: PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (Canada)
e. California Individual Privacy Senate Bill - SB1386
Data Privacy Laws

See our list of US Privacy Laws and International Privacy Laws.

us privacy law

http://www.informationshield.com/usprivacylaws.html
us privacy law
United States Privacy Laws

The following list contains a number of United States federal and state laws that have provisions for data privacy. Also see our list of International Privacy Laws and other information security policy resources.

Americans with Disabilities Act (ADA) - Primer for business.
Cable Communications Policy Act of 1984 (Cable Act)
California Senate Bill 1386 (SB 1386) - Chaptered version.
Children's Internet Protection Act of 2001 (CIPA)
Children's Online Privacy Protection Act of 1998 (COPPA)
Communications Assistance for Law Enforcement Act of 1994 (CALEA) - Official CALEA website.
Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell
Computer Security Act of 1987 - (Superseded by the Federal Information Security Management Act (FISMA)
Consumer Credit Reporting Reform Act of 1996 (CCRRA) - Modifies the Fair Credit Reporting Act (FCRA).
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 law overview. Text of law at Cornell library
Electronic Funds Transfer Act (EFTA) Summary
Fair and Accurate Credit Transactions Act (FACTA) of 2003
Fair Credit Reporting Act (Full Text).
Federal Information Security Management Act (FISMA)
Federal Trade Commission Act (FTCA)
Driver's Privacy Protection Act of 1994 . Text of law at Cornell
Electronic Communications Privacy Act of 1986 (ECPA)
Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act.
Fair Credit Reporting Act of 1999 (FCRA)
Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment)
Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
Privacy Act of 1974 - including U.S. Department of Justice Overview
Privacy Protection Act of 1980 (PPA) - Additional discussion at http://www.epic.org/privacy/ppa/.
Right to Financial Privacy Act of 1978 (RFPA)
Telecommunications Act of 1996
Telephone Consumer Protection Act of 1991 (TCPA) - Text of law at http://www.law.cornell.edu/uscode/47/227.html
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
Video Privacy Protection Act of 1988 discussion and overview. Text of law at: Cornell Law Library.
To suggest additions to this list, please contact us.

Children's Online Privacy Protection Act (COPPA)

http://www.informationshield.com/coppaoverview.htm

COPPA and the FTC's rule require those institutions to:
Provide parents notice of their information practices;
Obtain prior verifiable parental consent for the collection, use, and/or disclosure of personal information from children (with certain limited exceptions for the collection of "online contact information," e.g., an e-mail address);
Provide a parent, upon request, with the means to review the personal information collected from his/her child;
Provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child;
Limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and
Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.

Information Technology Security Awareness and Training Program

Building an Information
Technology Security Awareness
and Training Program
Mark Wilson and Joan Hash

http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Building an Information
Technology Security Awareness
and Training Program
Mark Wilson and Joan Hash

http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

National Institute of standards and technology

Records Management as Stand-Up Comedy

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202519101267&slreturn=1#

Records Management as Stand-Up Comedy
Evan Koblentz ContactAll Articles
Law Technology NewsOctober 18, 2011

Records management in the legal field isn't the most glamorous career choice. So it was a surprise to hear some very creative comments Sunday at the Legal Information Technology Conference, part of the wider ARMA conference in Washington, D.C. -- comments that kept this relatively dry subject pleasantly entertaining. A sampling of comments that kept legal records managers laughing follows.

Angela Akpapunam, director of document lifecycle services at WilmerHale, noted that some senior lawyers in her firm still refer to records management as "central files" and that one person misunderstood the term "document lifecycle" to be "document lifestyle."

Bryn Bowen, director of records information management at Greenberg Traurig, on establishing information governance in large firms: "We are sort of changing the tires while moving the truck."

Stacie Capshaw, associate director of records management at Kirkland & Ellis, said she was able to accomplish records management because her firm is "a loose federation of entrepreneurs."

Terrence Coan, senior director at Hildebrandt Baker Robbins, said information governance can range from "pretty crappy to really awesome."

Rudy Moliere, director of information governance and records management at White & Case, observed that records management is "not at all like herding cats -- you can see cats."

Moliere again, asked by an audience member to explain how predictive email filtering works: "Elves."

Sarah Stephens, chief knowledge officer at Sutherland, Asbill & Brennan, on software vendors Recommind and Autonomy: "We had Recommind come in the morning and Automony in the afternoon. We said we wanted to do A, B, and C, and frankly Recommind said, "Oh yeah, we can do that." Autonomy said, "Gosh, nobody's ever asked us that before, but I suppose we could figure it out."

But it was Richard Kotwa, director of client information and records compliance, also of Sutherland, who had line and after line to keep his audience smiling:

On hosted enterprise content management: "The cloud is scary. It's more likely to rain than anything else."

On microfiche: "I'm sure one day you'll be able to sell that stuff for a ton of money on eBay."

On document management systems: "Why is the DMS not popular? I think it's the structure. Attorneys are like cats. I'm an attorney so I can say that. You try to do something new and they run the other direction."

Still on document management systems: "It's a needle in a haystack. Content management allows you to at least pick the quadrant of the haystack to look in."

On knowledge management: "Knowledge management is like content management on steroids. But they aren't very good steroids."

On the IT staff: "You know how technical people are. They hide in the basement and nobody wants to go down there because it's a scary place."

On disaster recovery related to a snowstorm effecting his Atlanta office: "We shut down the town for a week and our disaster recovery plan was 'wait for sunshine'."

On his past life sorting document boxes: "I knew what was in 65 percent of them. The others were Christmas presents."

Evan Koblentz is a reporter for Law Technology News. Send e-mail.

ISO 27001

An Introduction To ISO 27001 (ISO27001)
ISO 27001
This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard


The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System.

http://www.27000.org/iso-27001.htm

The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".


The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECG guidelines (see oecd.org).


In a nutshell, the following diagram explains the logical flow of the process itself:



The process starts when the organization makes the decision to embark upon the exercise. Clearly, at this point, it is also important to ensure management commitment and then assign responsibilities for the project itself.

An organizational top level policy can then be developed and published. This can, and will normally, be supported by subordinate policies. The next stage is particularly critical: scoping. This will define which part(s) of the organization will be covered by the ISMS. Typically, it will define the location, assets and technology to be included.

At this stage a risk assessment will be undertaken, to determine the organization's risk exposure/profile, and identify the best route to address this. The document produced will be the basis for the next stage, which will be the management of those risks. A part of this process will be selection of appropriate controls with respect to those outlined in the standard (and ISO27002), with the justification for each decision recorded in a Statement of Applicability (SOA). The controls themselves should then be implemented as appropriate.

The certification process itself can then be embarked upon via a suitable accredited third party.

Next Page - INFORMATION GOVERNANCE

INFORMATION GOVERNANCE
http://www.nextpage.com/our-solution

Ready to bring some much-needed structure to your organization’s unstructured information?

Wednesday, October 5, 2011

India's Low-cost Tablet Is Made by Canada's DataWind By John Ribeiro, IDG News

India's Low-cost Tablet Is Made by Canada's DataWind
By John Ribeiro, IDG News

http://www.pcworld.com/businesscenter/article/241156/indias_lowcost_tablet_is_made_by_canadas_datawind.html

Facebook’s photo-tagging tweaks rig the game against privacy

Facebook’s photo-tagging tweaks rig the game against privacy

IVOR TOSSELL
Globe and Mail Update
Published Wednesday, Oct. 05, 2011 10:11AM EDT
Last updated Wednesday, Oct. 05, 2011 10:15AM EDT
20 comments
Email
Tweet PrintDecrease text sizeIncrease text size
Big changes to Facebook make big headlines. But it’s the small changes we really need to worry about.

For instance, Facebook is currently rolling out an attention-getting new look for user profiles. But over the past few months, the company has also unrolled a tiny change, so small as to seem completely unworthy of note.

MORE RELATED TO THIS STORY
Facebook topples the privacy façade
Facebook co-founder wants some privacy from social media
What Facebook users 'dislike' about the new makeover
With a small interface tweak, Facebook has made it harder to untag yourself from a photo. Not impossible – just harder. It’s gone from a split-second one-click process to a three-dialogue box option-hunting hassle. It sounds innocuous enough, but “harder” is all it takes to sway the behaviour of millions in favour of Facebook’s interests – at the expense of their own.

Facebook users are familiar with the drill: When users upload photos to the site, they’re encouraged to identify the people in each picture, tagging each one. Facebook users can wake up the morning after a party to discover that their friends have uploaded and tagged dozens of photos of them. These photos automatically appear on their Facebook pages, without prior consent. This system has existed for years.

This is why many, if not most, Facebook users have become masters of untagging themselves, scrubbing their names from unflattering photos they didn’t want to be associated with. This was fine, because Facebook made it easy.

Here’s the rub: That system is no longer. After a small interface switchup, Facebook now only offers users a one-click way to hide the photo on their profile – but not to get rid of the tag itself. The photo will still be identified in the album of the person who posted it, should anyone see it there. The link will still go to your page. And most importantly, Facebook itself will still know that it’s you in that picture.

It’s still possible to fully untag yourself. But the process has been made artificially burdensome. You have to hunt down the page to find an option for reporting or untagging images. Clicking brings up a dialogue box with several options to review. Choosing the “untag” option brings up a second dialogue box. Choosing “untag” in that dialogue box brings up a third dialogue box that confirms the untagging. Instead of one click, that’s four clicks, three boxes and two sets of option selections. Now, imagine repeating that across dozens of photos that might get posted after a night out. The process quickly becomes onerous.

Facebook likes it when people tag photos. It’s good for business. The more internal links the site contains, the more people click, the more time people spend on the site, the more information is gathered about users, and the better advertising can be targeted, seen and sold. And let’s be honest, to the viewer, it’s useful when photos are tagged. It’s engaging to put names to those unknown characters who lurk in the background, and to explore their profiles in turn. Tagging is good for everyone, except perhaps the people in those photos.

By implementing a change so administrative it seems too arcane to dwell on, Facebook is pressing its 800 million-odd users, uploading about 250 million photos a day, to leave untold numbers of tags in the system that they might sooner have deleted, were it not such a hassle. The tiniest details of design have a huge effect on the way people use technology. Users follow the path of least resistance.

In fact, Facebook is so eager for more tags that in other countries it has implemented a facial-recognition system that recognizes your friends’ faces and does the work for you. Facebook says it’s not planning to implement the system in Canada; the Privacy Commissioner of Ontario is among those who have expressed grave concerns about its privacy implications.

By making tagging easier than ever while simultaneously making untagging a pain, Facebook has again tilted the playing field in its own corporate interest.

The disinterested might ask: If you can still hide unseemly photos on your profile, do the persistent tags really matter? Yes. For one thing, they can be used as a back door into your account. A colleague recently found strangers leaving comments on photos she was sure she’d made fully private, only to find, buried deep in an options box, a light grey disclaimer reading, “Anyone tagged and their friends can also see this post.” This was not an option that can be changed.

It should also be a concern that, from all the photos, events, tags, and comments, Facebook can piece together a remarkable picture of what you’ve done where, when and with whom. Don’t think that law enforcement isn’t profoundly interested in this stuff. If Facebook isn’t sharing this information with police today, it might tomorrow: Laws change, and governments these days aren’t much more interested in the idea of privacy than Facebook itself is. Among the new photo-reporting options, Facebook now allows you to flag photos containing “Illegal drug use.” How handy for everyone.

Facebook continually wagers – and so far correctly – that users will let it massage their expectations of privacy downwards, and accept the tradeoff. After all, what’s the option? Not to use Facebook, in this day and age?

Well, yes.