Article

IDSes differ from IPSes in that they will only send alerts to the administrators if suspect activity is detected. An IPS will take corrective actions.

A network TAP provides the best possible connection point for any type of intrusion detection solution. It eliminates potential bottlenecks and dropped packets.

IPS solutions are considered the “next generation” of intrusion detection and, when properly configured, will take corrective actions in addition to alerting appropriate personnel.

Every security department, no matter how small, requires the same general set of skills
1. Security administration
2. Policy development
3. Architecture
4. Research
5. Assessment
6. Audit

That is not to say that each security department requires a minimum of six people. On the contrary, the number of people required by a security department depends on many other factors. These skills form the basis of the department's tasks. Another way to describe this skill area is 'security operations'-in other words, the day-to-day operations of security systems within the organization. These systems may be:
• Operating systems security and access control
• Firewalls
• Intrusion detection systems
• Authentication systems
• User accounts
• Vulnerability scanners
• Policy management systems
• Public key infrastructure
• Encryption systems

1980 Organization for Economic Cooperation and Development (OECD) Guidelines focus on area:
1. Data collection limitations
2. The quality of data
3. Specifications of the purpose for data collection
4. Limitations of data use
5. Participation by the individual on whom the data is being collected
6. Accountability of the data controller

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted on 23 September 1980, continue to represent international consensus on general guidance concerning the collection and management of personal information. By setting out core principles, the guidelines play a major role in assisting governments, business and consumer representatives in their efforts to protect privacy and personal data, and in obviating unnecessary restrictions to transborder data flows, both on and off line. The reflection of twenty-one years of expertise and experience shared among representatives of OECD governments, business and industry, and civil society, this publication contains the instruments that serve as the foundation for privacy protection at the global level: the 1980 OECD Privacy Guidelines, the 1985 Declaration on Transborder Data Flows and the 1998 Ministerial Declaration on the Protection of Privacy on Global Networks.

Download Page

1. Aligning risk appetite and strategy.Management considers the entityfs risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

2. Enhancing risk response decisions.Enterprise risk management provides the rigor to identify and select among alternative risk responses.risk avoidance, reduction, sharing, and acceptance.

3. Reducing operational surprises and losses.Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.

The Family Educational Right to Privacy Act (FERPA) prohibits educational agencies and programs, at risk of losing federal funds, from having a policy or practice of “permitting the release of ” specified educational records. FERPA does not state whether or not the prohibition places affirmative requirements on educational institutions to protect against unauthorized access to these records through the use of information security measures. It is certainly possible that a court could conclude in the future that an educational institution which fails to take reasonable information security measures to prevent unauthorized access to protected information is liable under FERPA for “permitting the release” of such information.

The recent case of a Vermont college system employee having such data on a laptop that was later stolen (see Chapter 1 sidebar “The Real Cost of Remediation”) might test this very statute.The 2002 Technology, Education, and Copyright Harmonization Act (the “TEACH Act”) explicitly requires educational institutions to take “technologically feasible” measures to prevent unauthorized sharing of copyrighted information beyond the students specifically requiring the information for their studies, and, thus, may create newly