Info Risk Today Podcast

For all the latest news and views, please visit the FFIEC Authentication Guidance Resource Center. Aite's Julie McNelley says the final FFIEC online authentication guidance offers greater detail in areas such as layered security, but that institutions have much to do to prepare for regulatory assessments in 2012.

A key factor in minimizing the risk of a breach when working with business associates is to provide these partners with the minimum amount of information they need to perform their services, says security expert Brian Lapidus.

Minnesota faces a government shutdown Friday, and state CISO Chris Buse confronts unexpected barriers in preparing for it. No one yet knows what services the IT security organization must support once the midnight deadline passes.

Organizations' biggest obstacles to privacy protection are the organizations themselves - specifically, their silos - says Dr. Ann Cavoukian, proponent of the new concept, Privacy by Redesign.

Fraud expert Ori Eisen says banks spend too much time reacting to ACH fraud, rather than trying to stop it. Now that the FFIEC's new online authentication guidance is official, banks must focus on eliminating outdated solutions and moving toward automated solutions for device identification and log analysis.

SafeNet CEO Chris Fedde says top executives, not chief information or chief information security officers, should have final say on what data to encrypt.

Leigh Williams says preventing online data breaches requires cooperation within the online ecosystem from domestic and international organizations. Spearheading and maintaining that cooperation requires federal oversight, he contends.

A new consortium is leading an effort to devise best practices for ensuring the security of networked medical devices.

Sen. Robert Menendez says regulators should have the power to compel banks to toughen IT security and offer timely customer notification of a breach. But if they don't, the Banking Committee member says in an interview, they should come to Congress to get that authority.

Online and mobile banking are taking the world by storm - especially in the Asia-Pacific region. But many institutions are simply not prepared to manage security and privacy appropriately in these venues, says Gartner's Matthew Cheung.

Northrop Grumman Cybersecurity Research Consortium's Robert Brammer says IT security researchers should think like Wayne Gretzky, the National Hockey League hall of famer: Skate to where the puck will be.

The latest component of the U.S. Department of Veterans Affairs' ongoing effort to protect medical devices from malware is the creation of a centralized patch management system, says Randy Ledsome, the VA's acting director of field security operations.

Greg Rattray, VP of Security at BITS, says we can't necessarily stop the spread of dangerous malware like Zeus, but banking institutions can do a better job of mitigating the risk and damage that follow such an attack.

AppSec's VanHorn says more segregation of employee duties is needed.

Working with business associates to prevent health information breaches requires far more than writing detailed contract terms on privacy and security, says regulatory expert Christopher Hourihan.

FDIC examiner Donald Saxinger says cloud computing can pose challenges when it comes to business continuity during disasters. Proactive vendor management, he says, is the best way to address potential hiccups before they become big problems.

The PCI Security Standards Council's new guidance on virtualization in the payments space aims to provide best practices for securing the payments chain's virtual platforms and appliances.

Today's advanced threats require an advanced cyber defense. That's why Bob Lamb of Booz Allen Hamilton recommends a new Cyber Operations blueprint that helps organizations assess and meet their cyber needs.

The executive director of a Southern California health information exchange describes a pilot project that's testing whether patient identifiers make it easier to match patients to their records from multiple organizations.

IT security expert Marcus Ranum says RSA's offer to replace its SecurID tokens is a deal worth taking.