Kelly Todd

Tenable and SCAP 1.1

Tenable recently announced that SecurityCenter 4 has been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) version 1.0. The specifications for the latest version of SCAP, 1.1, have recently been released through NIST’s third public draft of Special Publication 800-126 Rev. 1, and the revision is currently open until January 28 for public comment on implementation, content or functional issues within the specification. Tenable is already focusing on the changes included in SCAP 1.1 and will incorporate them into both SecurityCenter and Tenable’s xTool, which is used to parse XCCDF SCAP content available from NIST and also convert SecurityCenter reports into the FDCC reporting format.

Tenable Reaches 100th Employee

For the past several months, Tenable Network Security has been creating and filling new positions within the company. As we continue to grow, Tenable has been steadily working to improve Nessus and its line of Enterprise products, and we have recently added our 100th employee to our roster… but we’re not done yet. Tenable currently has nine open positions listed on our Careers page, including career opportunities in Development, Engineering, Training and Sales.

Among the positions listed is a “Digital/Web Strategy Coordinator”, which is designed to develop and maintain Tenable’s customer-facing websites. The ideal candidate for this position will have a unique blend of technical and marketing skills, excellent communication skills and the ability to work on multiple strategic projects simultaneously. This position reports to the Director of Marketing and will work closely with our Sales, Development and Content groups to improve our existing online presence and complete new online projects.

Tenable’s Director of Marketing, Susan Corbin, says, "This position is a great opportunity for someone who enjoys taking an idea or concept, formulating a marketing strategy around that concept, and then working the project through to completion. It is a very hands-on role with a lot of room for learning and growth potential, which is perfect for someone who wants to get some real-world marketing experience under their belt”.

OWASP: From FROC to SecurityCenter

The Front Range OWASP Conference (FROC) 2010 was held in Denver, Colorado last week and provided a full day of talks and events aimed at a wide variety of information security professionals. The event featured three speaker tracks: “App Sec/Technical”, “Cloud/Mobile/Emerging” and “Management/Executive” as well as a panel discussion and Capture the Flag (CTF) contest. Since 2003, OWASP has maintained and updated the OWASP Top 10 list to categorize and prioritize web application risks as they have evolved over the years, and the list has become a popular tool for helping organizations assess risk and formulate their remediation strategies.

Not Just for Health Care Providers Any More - HITECH for Business Partners

Enacted on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act, was designed to protect the security and privacy of Personal Health Information (PHI). Although related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act expands on the requirements to protect health information and has a wider scope for the entities that it covers. Under the HITECH Act, business partners of health care providers are now subject to HIPAA requirements and the penalties for violating the requirements. These new requirements for business partners become effective on February 17, 2010; one year to the day after the HITECH Act was signed into law by President Obama.

When many people think about data breaches and personal information, they tend to think about the loss of credit card information or Social Security numbers rather than medical information. However, over 220 data loss incidents recorded by the DataLossDB involved medical information over the last several years and there are certain to be countless other incidents that were either not publicly reported or have not yet been cataloged in the database. To this end, the HITECH Act will also establish a new breach notice requirement that will go into effect in September of 2010:

Sec. 13402. Notification In The Case Of Breach.
(a) In General.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

It should be noted that many states do not include medical information in their data breach notification laws, but since the HITECH Act is federal legislation, all health care entities and their business partners are required to disclose a breach if it can be treated as “discovered”. Notification may include not only individual notices to those people affected, but also possibly notice to “prominent media outlets” and, where applicable, the Department of Health and Human Services.

Understanding The New Massachusetts Data Protection Law

After months of defining, redefining, extending deadlines and planning, a new law in Massachusetts that affects all businesses that handle personal data of Massachusetts residents is finally about to go into effect. According to Massachusetts 201 CMR 17:
"The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."