Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Policies. Show all posts
Security Policies
Cyber Security Federal Government Financial Institutions FTC Security incidents Security Policies

The FTC’s new Amendment Requires Financial Institutions to Report Security Breaches Within 30 Days


The Federal Trade Commission has recently enacted an amendment that mandates non-banking entities to notify the Federal Trade Commission of specific data breaches along with other security incidents.

This mandate requires the creation, execution, and upkeep of an extensive security policy to protect consumer data, and it applies to businesses including payday lenders, auto dealers, and mortgage brokers.

The Safeguards Rule, which required financial institutions to report security breaches found in their systems as soon as they occur, was recently amended by the federal government. Organizations must notify the Federal Trade Commission (FTC) "as soon as possible," but no later than 30 days, of any security issue involving the information of 500 or more customers. 

It has been made mandatory for organizations to report the FTC in case any malicious or unauthorized entity gains illicit access to unencrypted customer data. However, this requirement is only applicable if the data is encrypted and hackers have obtained access to the encryption keys.

From April 2024, the new regulation will go into effect 180 days after it is published in the Federal Register.

FTC further informs that following the discovery of a security incident, non-banking financial institutions will have to use the FTC's online site to report pertinent information to the commission. The identity and contact details of the reporting institution, the number of customers affected, a description of the data disclosed, the date of exposure, and the length of the incident should all be included in a thorough breach report.

Moreover, the amendment will also enable firms to notify the FTC in case the public disclosure of the breach jeopardizes their investigation or national security. An official from law enforcement may as well ask for an additional 60-day delay before making the information public. 

The FTC's Bureau of Consumer Protection head, Samuel Levine, stressed that businesses that are entrusted with private financial data must be open and honest "if that information has been compromised." These businesses should be given "additional incentive" by the new disclosure obligation to actually protect the data of their customers.

In October 2021, the FTC released revised guidelines to improve data security while also inviting public feedback on a proposed supplemental amendment to the data breach reporting standards. The new amendment was ultimately accepted by a unanimous vote of three to one.  

Read more »
Vulnerability
Automation Bugs Flaws Research Security Policies Software Industry Software Security Vulnerabilities and Exploits Vulnerability

Mitigating Software Security Flaws with Automation

 

A group of UTSA researchers is investigating how a new automated approach could be used to prevent software security vulnerabilities. The team intended to create a deep learning model that could train the software on how to automatically extract security policies. 

Unlike traditional software development models, the agile software development process is intended to deliver software more quickly, eradicating the requirement for lengthy paperwork and changing software requirements. The only required documentation is user stories, which are specifications that define the software's requirements. However, the fundamental practises of this method, such as frequent code changes, restrict the capacity to perform security assurance evaluations.

Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering stated, “The basic idea of addressing this disconnect between security policies and agile software development came from happenstance conversation with software leaders in the industry.” 

Before arriving on a deep learning strategy that can handle several formats of user stories, the researchers looked at various machine learning approaches. To conduct the prediction, the model is composed of three parts: access control classifications, named entity recognition, and access type classification. The software uses access control classification to determine whether or not user stories contain access control information. The actors and data objects in the storey are identified by a named entity. The link between the two is determined by the access type classification. To evaluate their approach, the researchers used a data collection of 21 online applications, each with 50-130 user stories (a total of 1,600). 

Krishnan stated, “With a dataset of 1,600 user stories, we developed a learning model based on transformers, a powerful machine learning technique. We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system’s access control.” 

According to Krishnan, this unique new method will be a valuable tool in the modern agile software development life cycle. A manual method of extracting security policies would be error-prone and costly because agile software development focuses on incremental modifications to code. It is just another area where machine learning and artificial intelligence have proven to be effective. 

He further added, “We recognize that there is little additional information about access control that can be extracted or determined directly from user stories in a fully automated approach. That means it is difficult, or impossible, to determine a software’s exact access control from user stories without human involvement. We plan to extend our approach to make it interactive with stakeholders so that they can help refine the access control information.”
Read more »
Subscribe to: Posts (Atom)