The Project, now in Congress, establishes the principles, rights and duties of web users.
National Congress will soon appreciate the bill on the Internet, also called Marco Civil Internet, which provides the principles, rights and duties in using the World Wide Web.
The scope of the project includes users, companies and the government as well.
For two years, between 2009 and 2011, and before it was formally established as a project of law by the Ministry of Justice, the issue was discussed by civil society organizations. In the process, it received more than 2000 contributions and 100 thousand accesses by Internet.
This project reinforces the constitutional principles as free speech, privacy and secrecy of communications, human rights, and the broad right of access to the internet for everyone.
It also establishes that the person, and the person only, will be held responsible for the content posted anywhere on the net is becoming liable for any damage caused, and exempting the provider or intermediary (websites, blogs, portals and social networks) from that liability. The service provider will only respond if it breaks a prior judicial decision determining the removal of content.
Another important point concerns the storage of data, and determines that the provider must store for a year the records of users' connection (IP of the computer - and time and date of access). Such data can only be obtained by court order, and this one year term of custody of records could be extended upon demand, be it by the police authority supporting the judiciary.
Net neutrality is another fundamental point, which requires ISPs to give undifferentiated treatment to all packets of data traffic on their networks. They may not favor certain Web sites over others, while providing them, for example, a faster access (faster band).
The state also confirms its role, reducing inequalities in Internet access and encouraging the use of the network as a tool for transparency and democracy. The project, however, does not cover issues such as copyright, cybercrime, and e-commerce.
To become law, the project must be approved by the House of Representatives and the Senate.
Hopefully it will be through and ready for the President´s approval by the end of the year.
mercredi 14 septembre 2011
mardi 6 septembre 2011
Information Security in Brazil
Currently the demand for information grows by leaps; we have access to everything we need by the means of search engines, as well as access to information from organizations that are whether available on the Web or not; however the information is stored in virtual environments.
IT as well as information security within organizations are growing substantially, and the highly complex subject demands competence professional to control such a dynamic environment .
Ensure the information is not just master the technical part to safeguard the information of an organization, customers, suppliers and others relevant to a business. Information Security is also awareness. Employees need to be aware of the importance of information that flows within the company, be it verbal, written, electronic or otherwise.
Brazil, when it comes to this awareness and concern for rapid development on the subject, still has much to do. We have some initiatives from the Federal Government, as the GSI Instruction No. 01 13.06.2008, which regulates the Management of Information Security in the Federal Sphere; a Law Project to ensure the protection of personal data; the Ordinance of Denatran 1334/2010, which dictates that for it to function as a Central Management Unit (UGCs) it must have certification ISO 27001- System Management Information Security; and the Resolution 3658 of the National Land Transport - ANTT (Ministry of Transport) as to the electronic payment of freight - citing Management System Information Security.
About the protection of personal data, despite the constitutional provision, Brazil does not have anything specific on the subject, differentiating themselves from various countries that regulated the right of the citizen, such as the United States, Japan, Argentina, Chile, Uruguay, among others.
ISO 27001 provides the controls in its context, on protecting the privacy of personal information, intellectual property rights, physical and logical access controls,business continuity,to name a few.
Currently, Brazil has less than 30 companies certified in ISO27001.
IT as well as information security within organizations are growing substantially, and the highly complex subject demands competence professional to control such a dynamic environment .
Ensure the information is not just master the technical part to safeguard the information of an organization, customers, suppliers and others relevant to a business. Information Security is also awareness. Employees need to be aware of the importance of information that flows within the company, be it verbal, written, electronic or otherwise.
Brazil, when it comes to this awareness and concern for rapid development on the subject, still has much to do. We have some initiatives from the Federal Government, as the GSI Instruction No. 01 13.06.2008, which regulates the Management of Information Security in the Federal Sphere; a Law Project to ensure the protection of personal data; the Ordinance of Denatran 1334/2010, which dictates that for it to function as a Central Management Unit (UGCs) it must have certification ISO 27001- System Management Information Security; and the Resolution 3658 of the National Land Transport - ANTT (Ministry of Transport) as to the electronic payment of freight - citing Management System Information Security.
About the protection of personal data, despite the constitutional provision, Brazil does not have anything specific on the subject, differentiating themselves from various countries that regulated the right of the citizen, such as the United States, Japan, Argentina, Chile, Uruguay, among others.
ISO 27001 provides the controls in its context, on protecting the privacy of personal information, intellectual property rights, physical and logical access controls,business continuity,to name a few.
Currently, Brazil has less than 30 companies certified in ISO27001.
jeudi 27 mai 2010
BCP - Size Does Not Matter
It is not just about size. When we mention a Business Continuity Plan - BCP, what comes into mind is the large enterprise. But those, in general, do not represent more than 15% of a country's officially registered business . The small and mid-size companies do have its share on the local economy, and a big one.
So, independently of the size of the business,a BCP comes in handy.
First of all, a series of question to be responded by CEO's, Co-Founders and Startup's head managers: Do we need it? Do we want it? And most of all, what for?
The needs of a small or mid-market company to invest in business continuity plans must be totally related to the risks it takes given the business they are in.
- In some areas, regulatory demands are very important and business continuity is required. Let us take for example, the banking and and insurance companies.
- Sometimes, the PCA may be required by a customer, as well as BCP, or Information Security Policies: we have to bear in mind that large enterprises are increasingly dependent on their sub-contractors on major contracts, which may represent a risk for them. So, in order to protect themselves, they force their partners - by contract - to set up a BCP.
- Some organizations that counsel or finance Startups also require assurance for business continuity. They want to be sure that the company, in the misshapen of facing a loss, it will have what it takes to keep on going.
- Last but not least, there are firms that are more motivated to implement a BCP: those who have already had a personal claim, or that have come into contact with a company close to them which has been affected by a BCP, or worse, those who have already experienced some sort of brake down on any area of its business.
How should a BCP be designed?
Before setting up a BCP, the company must ask simple, effective questions:
- What should be protected: Data? Information? Know-how? Collaborators? The information system? Production?
- What is the maximum loss of data or information admitted?
- What is the longest period of interruption acceptable?
The key is to determine the criticality of the elements.
The BCP should reflect the result of all consideration of risk, and according to these criteria, it will be able to adapt its level of sureness to the company.
But this is but part of the process. To be effective, the device must evolve at all times, not to become ineffective. It must adapt to changes that take place in the company - for example, if it merged - in the environment - a drastic example, a TNT industry sets up its business in the same area.
Most important though,it should also take into account the evolution of risks. Who would think of cyber security as a major risk, say, 10 or 15 years ago? Risks today have evolved to the point we must tell a physical from a virtual one. A BCP's characteristics must follow the risks all along.
Implementation
When the decision to move on to a BCP is taken, next comes the doubt whether to do it on its own or rely on a third party for the task. All business will be better off with external help.
Many reasons justify the use of an outside provider.
- Experience. Business are rarely confronted with major physical disasters such as fire, floods or any destruction. Inside teams, so, have a lack of experience when there is such an incident.
On the other hand, third party have this expertise. Its special teams specially suited for the job know not only how to organize full checklists to re conduct operations, but also for restarting the the core functions of the business in the shortest gap of time.
In addition, small and medium business do not have the necessary additional room - located far from its original site - to accommodate their back up data centers and storage solutions.
Companies have to change their beliefs about local backup. Medias are not reliable after a period of time, resulting in restorability issues.
Finally, using third party services for a BCP grants real time update for both system and data, other than its protection. This aspect is very important because small business setting up BCPt often run into the problem of outdating. The ones responsible for business continuity plan are either switched to other activities or the focus towards the BCP diminishes and becomes irrelevant.
Nevertheless,to succeed, even with a third party coaching, the project must be culturally accepted internally at all levels: it is a decision by the company as a whole.
Sources: ABNT, MS, HP
So, independently of the size of the business,a BCP comes in handy.
First of all, a series of question to be responded by CEO's, Co-Founders and Startup's head managers: Do we need it? Do we want it? And most of all, what for?
The needs of a small or mid-market company to invest in business continuity plans must be totally related to the risks it takes given the business they are in.
- In some areas, regulatory demands are very important and business continuity is required. Let us take for example, the banking and and insurance companies.
- Sometimes, the PCA may be required by a customer, as well as BCP, or Information Security Policies: we have to bear in mind that large enterprises are increasingly dependent on their sub-contractors on major contracts, which may represent a risk for them. So, in order to protect themselves, they force their partners - by contract - to set up a BCP.
- Some organizations that counsel or finance Startups also require assurance for business continuity. They want to be sure that the company, in the misshapen of facing a loss, it will have what it takes to keep on going.
- Last but not least, there are firms that are more motivated to implement a BCP: those who have already had a personal claim, or that have come into contact with a company close to them which has been affected by a BCP, or worse, those who have already experienced some sort of brake down on any area of its business.
How should a BCP be designed?
Before setting up a BCP, the company must ask simple, effective questions:
- What should be protected: Data? Information? Know-how? Collaborators? The information system? Production?
- What is the maximum loss of data or information admitted?
- What is the longest period of interruption acceptable?
The key is to determine the criticality of the elements.
The BCP should reflect the result of all consideration of risk, and according to these criteria, it will be able to adapt its level of sureness to the company.
But this is but part of the process. To be effective, the device must evolve at all times, not to become ineffective. It must adapt to changes that take place in the company - for example, if it merged - in the environment - a drastic example, a TNT industry sets up its business in the same area.
Most important though,it should also take into account the evolution of risks. Who would think of cyber security as a major risk, say, 10 or 15 years ago? Risks today have evolved to the point we must tell a physical from a virtual one. A BCP's characteristics must follow the risks all along.
Implementation
When the decision to move on to a BCP is taken, next comes the doubt whether to do it on its own or rely on a third party for the task. All business will be better off with external help.
Many reasons justify the use of an outside provider.
- Experience. Business are rarely confronted with major physical disasters such as fire, floods or any destruction. Inside teams, so, have a lack of experience when there is such an incident.
On the other hand, third party have this expertise. Its special teams specially suited for the job know not only how to organize full checklists to re conduct operations, but also for restarting the the core functions of the business in the shortest gap of time.
In addition, small and medium business do not have the necessary additional room - located far from its original site - to accommodate their back up data centers and storage solutions.
Companies have to change their beliefs about local backup. Medias are not reliable after a period of time, resulting in restorability issues.
Finally, using third party services for a BCP grants real time update for both system and data, other than its protection. This aspect is very important because small business setting up BCPt often run into the problem of outdating. The ones responsible for business continuity plan are either switched to other activities or the focus towards the BCP diminishes and becomes irrelevant.
Nevertheless,to succeed, even with a third party coaching, the project must be culturally accepted internally at all levels: it is a decision by the company as a whole.
Sources: ABNT, MS, HP
vendredi 23 avril 2010
Information Security Team
It is known that CI professionals, watchers of all calibers, lobbyists and advocators are after valuable information within and without their companies.
Once the information is taken for granted and becomes part of the immaterial assets of the company, it is absolutely necessary to set up policies to protect the good handling of it and its protection.
Who will do it?
A team specifically dedicated to the Information security.
Next questions comes up, how to set such a team? Who will lead it?
Some aspects to take into consideration when setting up a department of information security must be taken into account.
Knowledge in information security is contained in different models currently available: among them we have those of ISO / IEC series 27000 (information security).
The knowledge relating to Management of System Information Security (ISO 27001) and the Code of Practice for the Management of Information Security (ISO 27002) should be disseminated throughout the organization. However, at the time of structuring a department of information security, companies find themselves in a worrying scenario.
1 - The information security analyst should have a high technical knowledge. I'm not referring to the certifications, I'm talking about practical knowledge and experience in the subject.
2 - Some companies insist on promoting someone internal to the IT Department to the position of Manager of Information Security. The professional would actually have a very different profile compared to that necessary to take responsibility.
As an example, I will describe the profile found among those who are promoted to the position of Manager of Information Security described on the above paragraph:
• He has experience in broader subjects such as database and software development, using security features of the very basic information.
• He does not have a history of participation in lectures / events or trainings on information security.
• He is not acquainted with international standards of information security (e.g. ISO 27002) and does not follow the bulletins about new threats on the Internet.
• He performs reading only on books related to database technologies and languages of software development.
• He has a degree on technology in database, MBA in Information Technology and certifications from Microsoft and Oracle.
- You could guess what was his role in the company? That's right! He was responsible for managing the database. Now he is the Manager of Information Security. He has lots of ground to cover up to reach the necessary profile.
3 - Some companies create a department of information security management to access computing environment. It creates users, changes passwords, sets permissions on directories etc... All this to comply with regulations or audits.
4 - Creating a department of information security subordinated to the area of Information Technology is the most common mistake organizations make.
The security area should be aligned to the legal department and audit on the organization chart. The area of information security subordinated to the director of IT functions more as technical support rather than an area responsible for the whole Management of System Information Security.
Success factors
The success of your company is not connected to the technological arsenal. There are some factors that should be considered when deciding to create a team of information security and implement a Management of System Information Security - MSIS. The first factor is to obtain approval from the organization's managers to launch the project of implementation of the MSIS.
At this stage the project team presents the priorities, objectives and scope for deploying the MSIS. It should also discuss a change in the company's organizational structure, including responsibilities, to meet the project objectives and business needs.
The output of this phase is the approval and commitment of managers to implement the Management of System Information Security.
The second factor is the development of diagnosis and analysis on the level of maturity. During this phase, we map the current situation of the organization and present a list of needed improvements in the processes of information security to set up a link between the organization's strategic planning and implementation of security systems.
The third aspect is the creation of an Interdepartmental Committee for the development of policy and standards for information security, including support of the board and / or senior management, based on guidelines from the Information Security Governance, business needs and regulations.
With the support of the CEO
The creation of a team of information security and the defining of their responsibilities depend mainly on the guidelines established by the board and / or directors. These guidelines should be documented in the policy of Information Security Governance.
Governance of Information Security will clarify for managers the company's strategic objectives in relation to information security. Down the line it will present a list of legal requirements / regulations and contractual requirements involving information security applicable to the business.
The combination of these three factors will help your company in creating a team of information security and implementation of a Management System Information Security.
Sources: ISO/IEC 27001,27002; ABNT
Once the information is taken for granted and becomes part of the immaterial assets of the company, it is absolutely necessary to set up policies to protect the good handling of it and its protection.
Who will do it?
A team specifically dedicated to the Information security.
Next questions comes up, how to set such a team? Who will lead it?
Some aspects to take into consideration when setting up a department of information security must be taken into account.
Knowledge in information security is contained in different models currently available: among them we have those of ISO / IEC series 27000 (information security).
The knowledge relating to Management of System Information Security (ISO 27001) and the Code of Practice for the Management of Information Security (ISO 27002) should be disseminated throughout the organization. However, at the time of structuring a department of information security, companies find themselves in a worrying scenario.
1 - The information security analyst should have a high technical knowledge. I'm not referring to the certifications, I'm talking about practical knowledge and experience in the subject.
2 - Some companies insist on promoting someone internal to the IT Department to the position of Manager of Information Security. The professional would actually have a very different profile compared to that necessary to take responsibility.
As an example, I will describe the profile found among those who are promoted to the position of Manager of Information Security described on the above paragraph:
• He has experience in broader subjects such as database and software development, using security features of the very basic information.
• He does not have a history of participation in lectures / events or trainings on information security.
• He is not acquainted with international standards of information security (e.g. ISO 27002) and does not follow the bulletins about new threats on the Internet.
• He performs reading only on books related to database technologies and languages of software development.
• He has a degree on technology in database, MBA in Information Technology and certifications from Microsoft and Oracle.
- You could guess what was his role in the company? That's right! He was responsible for managing the database. Now he is the Manager of Information Security. He has lots of ground to cover up to reach the necessary profile.
3 - Some companies create a department of information security management to access computing environment. It creates users, changes passwords, sets permissions on directories etc... All this to comply with regulations or audits.
4 - Creating a department of information security subordinated to the area of Information Technology is the most common mistake organizations make.
The security area should be aligned to the legal department and audit on the organization chart. The area of information security subordinated to the director of IT functions more as technical support rather than an area responsible for the whole Management of System Information Security.
Success factors
The success of your company is not connected to the technological arsenal. There are some factors that should be considered when deciding to create a team of information security and implement a Management of System Information Security - MSIS. The first factor is to obtain approval from the organization's managers to launch the project of implementation of the MSIS.
At this stage the project team presents the priorities, objectives and scope for deploying the MSIS. It should also discuss a change in the company's organizational structure, including responsibilities, to meet the project objectives and business needs.
The output of this phase is the approval and commitment of managers to implement the Management of System Information Security.
The second factor is the development of diagnosis and analysis on the level of maturity. During this phase, we map the current situation of the organization and present a list of needed improvements in the processes of information security to set up a link between the organization's strategic planning and implementation of security systems.
The third aspect is the creation of an Interdepartmental Committee for the development of policy and standards for information security, including support of the board and / or senior management, based on guidelines from the Information Security Governance, business needs and regulations.
With the support of the CEO
The creation of a team of information security and the defining of their responsibilities depend mainly on the guidelines established by the board and / or directors. These guidelines should be documented in the policy of Information Security Governance.
Governance of Information Security will clarify for managers the company's strategic objectives in relation to information security. Down the line it will present a list of legal requirements / regulations and contractual requirements involving information security applicable to the business.
The combination of these three factors will help your company in creating a team of information security and implementation of a Management System Information Security.
Sources: ISO/IEC 27001,27002; ABNT
mercredi 27 janvier 2010
Checking Figures
After the earthquake that destroyed the poorest country in the Americas, the world has shown the most generous expression of solidarity in history.
In the midst of so many reports and press releases is difficult to know who did what and how much has been given.
At this link you will find the raw numbers of each country, per capita figures, and the most generous nations in relation to their GDP.
To see the details, this spreadsheet shows the numbers more accurately.
To compare with what was done in the 2005 Tsunami in the Indian Ocean, the image below shows what had been promised effectively and delivered by each country:
The numbers of the Tsunami in detail here.
Now if we compare to the spendings of the USA alone in the front in Iraq and Afghanistan, then the feeling of shame is inevitable.
Sources: Information is beautiful, the guardian,reliefweb,OEDC, costofwar
In the midst of so many reports and press releases is difficult to know who did what and how much has been given.
At this link you will find the raw numbers of each country, per capita figures, and the most generous nations in relation to their GDP.
To see the details, this spreadsheet shows the numbers more accurately.
To compare with what was done in the 2005 Tsunami in the Indian Ocean, the image below shows what had been promised effectively and delivered by each country:
The numbers of the Tsunami in detail here.
Now if we compare to the spendings of the USA alone in the front in Iraq and Afghanistan, then the feeling of shame is inevitable.
Sources: Information is beautiful, the guardian,reliefweb,OEDC, costofwar
lundi 18 janvier 2010
HAITI - What we can do as for now
Haiti's tragidy has shocked everyone. The Internet does its part to help.
Here's what we can do at this very moment.
Financial Aid:
Musician Wyclef Jean's website - http://www.yele.org/
Donation page in the site: https://co.clickandpledge.com/advanced/default.aspx?wid=23093
Google's special page (post earthquake Google Earth's images included): http://www.google.com/relief/haitiearthquake/
List of major organizations accepting donations: http://mashable.com/2010/01/13/haiti-earthquake-donate-help/
To be on top of things going on:
Mercycorps' twitter : http://twitter.com/mercycorps
NY Times' twitter (which follows Red Cross's, Catholic Relief Services's e Internet Haiti's)- http://twitter.com/nytimes/haiti-earthquake
CNN (same sources as NY Times' plus bloggers' and local twitter users' updates) - http://twitter.com/CNN/haiti
This blogger posts regularly: http://livesayhaiti.blogspot.com/
Do you want to act?
If you have a special skill and want to help, this ORG is coordenating efforts and accepting help of online work; it also lists some of the disaster's initial figures: http://crisiscommons.org/wiki/index.php?title=Haiti/2010_Earthquake
mardi 10 novembre 2009
Ten years promoting Intelligence
The Master Program on Competitive Intelligence of Toulouse University - France, will celebrate its 10th anniversary this early january.
Among the top French Universtities proposing the Master Program on the subject, it is a pleasure to make it public on this blog the program of festivities . After all, all the consultants graviting around TIF are offsprings of M2IE - UT1!
For those interested in a Competitive Intelligence afternoon conference and debate on major topics , followed by a 'Gala Night' on the best french style and charm in a superb atmosphere, cross check jan 15th on your agendas !
Below you will find the invitation , and if you want to be updated on furhter information, just clic on the first link, between the dashed line.
To contact the responsibles for the event, clic the second link on the announce.
Among the top French Universtities proposing the Master Program on the subject, it is a pleasure to make it public on this blog the program of festivities . After all, all the consultants graviting around TIF are offsprings of M2IE - UT1!
For those interested in a Competitive Intelligence afternoon conference and debate on major topics , followed by a 'Gala Night' on the best french style and charm in a superb atmosphere, cross check jan 15th on your agendas !
Below you will find the invitation , and if you want to be updated on furhter information, just clic on the first link, between the dashed line.
To contact the responsibles for the event, clic the second link on the announce.
| | | |
| | | |
| | CONFERENCE / DEBAT suivi d'un GALA À l'occasion des 10 ans du Master professionnel Intelligence Économique,
Anciens étudiants, professeurs, intervenants, professionnels du secteur, POUR PLUS DE RENSEIGNEMENTS : | |
| | |
Inscription à :
Articles (Atom)
