Archive for October, 2015

NIST awards three-year grant for cybersecurity jobs ‘heat map’

From: FedScoop

IT trade group CompTIA will receive $249,000 in the first year year of the project to illustrate the geography of cybersecurity job vacancies. The map is expected to come out in late 2016.

By Whitney Blair Wyckoff

The National Institute of Standards and Technology announced Tuesday it awarded a three-year grant to the IT trade group CompTIA to create a “heat map” of cybersecurity jobs.

Aiming to be ‘the chief enabler of all government services’

From: GCN

By Troy K. Schneider

At the recent National Association of State CIOs conference in Salt Lake City, Colorado Secretary of Technology and CIO Suma Nallapati spoke with GCN Editor-in-Chief Troy K. Schneider about her state’s efforts to weave better IT into every citizen interaction — and to convince IT talent that government work is worth exploring. The answers below have been edited for length and clarity.

What’s the focal point for your team right now?  What should we be looking for from Colorado?

How the feds got Splunk’d, according to CEO Godfrey Sullivan

From: Federal Times

Jill R. Aitoro, Editor

Some might say that Splunk is undergoing an identity crisis – a security company to some, big data to others. CEO Godrey Sullivan explains why labels don’t matter.

Some might say that Splunk is undergoing an identity crisis.

The company is widely regarded as a security company, particularly among federal customers. And there’s a strong case to be made for that, when you consider that one customer in the Pentagon managed to fence off a Trojan horse before it infiltrated systems, thanks to a discovery of the malware —  the same malware that took down the network of the rest of the office for a couple weeks

More Dominos Fall on the Data Protection Table

From: Privacy and Security Matters | Mintz Levin

As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more.   Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US.  All the background, including links to a recording of our “emergency” Privacy webinar on the issue, can be found here, here, and here.

Two more dominos outside the European Union have toppled.

Read Complete Article

What does the new EU data protection regime mean for datacentres and cloud service operators?


Changes to European data protection law will put new responsibilities on datacentre and cloud providers

Daniel Hedley

The process of reforming European data protection law has been protracted, to say the least. However, the target for a final text of the EU General Data Protection Regulation (GDPR) is now firmly set for the end of 2015, and it is expected to come into force some time in 2017.

For datacentre and cloud service operators, this means big legislative changes are probably just over a year away and the time to start work on compliance with those changes is now.

Hacked: 5 things to know about new DOD cybersecurity regulations

From: Lexology | Virginia Construction Law Blog

Vandeventer Black LLPNeil S. Lowenstein

In 2007, a preeminent American defense contractor first reported cyber attacks emanating from China. Four years later, upon a visit by then Secretary of Defense Robert Gates, the Chinese Air Force revealed a fighter jet unnervingly similar to the one manufactured by the hacked American contractor. More recently, the FBI reported in July 2015 that hackers accessed the personnel files and security clearances of over 22 million federal employees and contractors.

The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations

From: Security, Privacy and the Law | Foley & Hoag


What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses its shape-shifting structure in the face of rapidly changing technology.  The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the Europe Union and the U.S. handle questions of data privacy:  whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there are states, with various federal laws and regulations filling in various gaps or providing additional compliance issues.  I have elsewhere referred to this as a “patchwork” system (although some might prefer the term “crazy quilt”).

Nike pushes security, wants employees to ‘Keep It Tight’

From: Oregon Live

By Allan Brettman


Against a backdrop of at least two brazen security breaches, Nike also took significant steps this year to better protect its product designs and other proprietary information. It launched a “Keep It Tight” education program for employees, making them aware of security threats, particularly cybersecurity breaches.

“Companies are now dealing with sophisticated levels of digital crime,” said Gus Malezeis, president of Tripwire, a Portland online security software company. “They’re finding that these (bad) guys have been here and they scoped out the data and they’re walking away with it.”

Model clauses no substitute for ‘safe harbour’ data transfers to the US, says German watchdog


Businesses relying on European Commission-approved model contract clauses to transfer personal data from the EU to the US should terminate or suspend those arrangements, a German data protection watchdog has said.

The Independent Centre for Privacy Protection in the state of Schleswig-Holstein said (5-page / 56KB PDF) it was its view that EU-US data transfers facilitated by the use of model clauses fail to comply with EU law.

It outlined its opinion in a new position paper published in light of the ruling last week by the Court of Justice of the EU (CJEU) that the ‘safe harbour’ framework for enabling EU-US data transfers is “invalid”.

The New Security Metrics for Today’s Federal Agencies

From: GovLoop

Courtney Benhoff

Just a few years ago, the only security metric that mattered was whether your organization had been hacked or not.

This all-or-nothing definition of security success is now outdated. There are new, more complex metrics that measure the strength of your security posture. They include:

  • Mean Time to Intrusion: How long (hours or days) would it take someone to get into your network from the outside? This should be a long time.
  • Mean Time to Detection: How long does it take to notice they are in your network? This should be a short time.