Secure Value: Information Security

Information Security

02/01/2012

Armed Robberies Hit Close to Home

Our local business community is up in arms about a recent string of (currently 9) armed robberies that have occcured over the last several weeks. Many businesses are now taking extra precautions to protect their valuables and their employees.

In a community targeted release about the situation, Hilliard City Police Department suggests that

"Every business should take an active part in making their business safe. Here are some suggestions to help prevent robbery:

Have at least two employees open and close the business
Install a robbery alarm
Place a surveillance camera behind the cash register facing the front counter with a digital recorder
Vary times and routes of travel for bank deposits
Keep a low balance in the cash register. Don’t leave large bills under the drawer
Place excess money in a safe or deposit it as soon as possible
Stay Alert! Know who is in your business and where they are.
If you see something suspicious, call the police. Never try to handle it yourself.
Use care after dark. Be cautious when cleaning the parking lot, taking out the trash, or going to your car after work.
Make sure to post important signs “Clerk cannot open the time lock safe” , “Premises protected 24 hrs by video surveillance”, etc.
Cooperate with the robber for your own safety and the safety of others. Comply with a robber’s demands. Remain calm and think clearly. Make mental notes of the robber’s physical description and unique characteristics."

Posted by Douglas Davidson at 10:31 PM in Information Security, Secure Value, Security Awareness, Security in the Business News, Threats | Permalink | Comments (1) | TrackBack (0)

08/04/2011

Forget customer privacy for a moment ... are you protecting your key business information?

With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.

This is a list of information that you should also work to protect:

1.    Information about your systems and networks. When I backpack I don't do very well if I have to go off trail and I don't have a map. The same is true for someone trying to break into your information systems. If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information. Are you making your network an outside explorers paradise?

2.    Your company's secret sauce. You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces. For Jacadis, it is the unique way we deliver many of our services. For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers. That process has helped them win business because other printers aren't doing it. Years ago we did work for a company that made a unique material used in the florist business. They were the only company in the world that could produce the material at quantity and had factories world wide that did it. Their key asset was the chemical formula and process to produce that material. Are you protecting your secret sauces?

3. Intellectual property, according to wikipedia, refers "to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law.   Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and words, phrases, symbols, and designs. Common types of intellectual property include copyrights, trademarks, patents, industrial design rights and trade secrets in some jurisdictions." To maintain those rights you need to actively assert those rights, which as I understand it from my friends in the legal profession, includes protecting the digital versions of those rights. Are you asserting your IP rights?

3.    Work. Think of the endless hours that you spent putting together that killer sales presentation. Should it be corrupted or removed from your computer you’ll have to redo the work. The same is true for data entry, etc. The work itself might not be “secret” but should you lose it you’ll really be losing time and value. As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com). For your business your work may be many other things. My sales team would tell me that their biggest collection of work is the information they have on clients. A friend of mine has a laser cutting business. Unique programs are written to consistently and repeatedly cut 3D designs into different materials. These programs are his work. Another friend has a much lower tech manufacturing business, an old sand mold foundary. His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted. In the end the loss of work means the loss of time or information. You'll have to invest time to recreate the information. In some cases you may not be able to recreate it. Are you protecting your work?

4.    Personal information about your executives, leaders and key employees. Again, to explore something you need a map. To attack a target you need a map. Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map. This is a tricky subject though. I won't do business with a company if I can't see some information about its ownership. Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust. Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up. On a simple level, executive emails sprinkled all over a web site invite spam. On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks. Are you protecting your key people? Are you protecting all of your people?

5. Personal, though non-protected, information about your customers and prospects. Again, protect the map. Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation. Protecting your customers information promotes trust. Are you promoting trust with your customers?

What types of information that must be protected did I miss?

Posted by Douglas Davidson at 09:54 AM in Assessments and Tests, Committee Action, Competitive Advantage, Continuity Planning, Information Security, Information Security Basics, Innovation, Online Business, Risk Analysis, Risk Management, Secure Value, Small Business | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: information security, Intellectual property, risk management

05/06/2011

Doing More Information Security with Less

Image via Wikipedia

This article by Jerod Brennan first appeared in Jerod's blog on IT Toolbox. Though it is from the perspective of the information security professional the business owner, executive or CIO who manages a "security professional-like creature" might find in helpful. The reality of the infosec "guy" in a company is the reality of the unfunded mandate, things that get assigned to be done that have no supporting resources. Many companies deal with their regulatory obligations through unfunded mandates. Does your firm? Read this and then start a conversation with your infosec guy about how you cand get more done with less.

If you’re an information security professional, chances are the words “unfunded mandate” have come up more than once during your career. Whether it’s compliance with regulations like HIPAA/HITECH and PCI, or the deployment of a new application or technology to enable the business, the available budget never seems to be enough to cover the work on the security team’s plate.

With so many priorities competing for so few resources, you’re probably asking yourself, “Where do I begin?”

Three words: Security Tool Optimization.

Most information security organizations have grown organically. Chances are you started with a firewall, something to keep unauthorized users from accessing company resources. Then you added antivirus, to prevent business operations from being interrupted by a virus outbreak. Over time, you probably added an anti-spam solution, an Internet access gateway, patch management, intrusion detection, encryption, VPN, a vulnerability scanner… the list goes on and on.

Trying to maintain all those security point solutions is a nightmare. You’re spending all of your time keeping these point solutions up and running, when your time would be better spent analyzing and addressing the specific risks that could have a significant negative impact on your business.

It’s time to take a step back and take stock of your environment, approaching the process with a fresh perspective. Realize that your collection of security tools isn’t a burden. It’s an opportunity.

Your company values information security enough to invest both capital funds and operating expense into deploying and maintaining security systems. So what would happen if you combine three, four, even five of those point solutions into a single system?

You just might free up enough funds to:

Hire another security analyst.
Address a gap in your current control set by investing in a new technology.
Send your team to training.
Prove to the CIO that security isn’t a financial black hole.

Doing more with less is par for the course when it comes to information security. Optimizing your existing information security toolset is the first step you need to take in order keep your security organization strong.

http://www.jacadis.com/

By day, I'm a principal security consultant with a security solutions and services provider. By night, I'm a husband, father, writer, filmmaker, martial artist, and social media junkie. My approach to infosec has two key tenets: don't be afraid to void warranties, and people shouldn't have to bypass security to get their work done. Would you like to know more? http://about.me/slandail

Posted by Douglas Davidson at 01:35 PM in Information Security, Secure Value | Permalink | Comments (0) | TrackBack (0)

04/07/2011

Epsilon Aftermath Will Expand Seriousness of 3rd Party Verification for Suppliers -- Is your firm ready?

Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.

Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.

Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.

In fact it isn't just us that thinks that. The Wall Street Journal reported in Insulating Your Firm from Third Party Breaches that:

Experts suggest that companies that outsource technology services take some of the following steps:

Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.

Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.

This will impact you if you answer yes to any of the questions below:

Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?

Take action

If you answered yes to any of those questions we suggest the following:

1. Look at your customer agreements with firms in the categories above.

Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?

2. Sit down with your technical leadership and discuss:

Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?

If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.

Posted by Douglas Davidson at 10:45 AM in Committee Action, Competitive Advantage, Compliance, HIPAA, HITECH, Information Security, Information Security Basics, Leadership, Online Business, PCI, Policy, Secure Value, Security in the Business News, Small Business, Trust, Vendor Selection | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Audit; Small business; Verification; Assurance; Compliance; Governance; Epsilon

02/23/2011

Secure Application Development Lunch & Learn 3/31 – Best Practices: OWASP Top 10

Does your application security plan take into account the OWASP Top 10 Web Application Security Risks?

Since 2004, organizations have steadily adopted the OWASP (Open Web Application Security Project) standard as a way to evaluate not only their own applications, but also those designed by third parties. While many developers and security professional are familiar with the OWASP Top 10, most do not understand the mechanics of the vulnerabilities and how to prevent them. If your firm develops customer facing web applications or uses internally facing web applications that collect or process protected information OWASP's practices are a concept your technical teams should adopt.

By popular request, Jacadis is offering a two-hour, instructor-led interactive class designed to introduce developers, designers, architects, managers, and organizations to the OWASP Top 10, and to educate them about the consequences of the most important web application security weaknesses. This class is taught by certified security consultants that routinely perform PCI, HIPAA, and OWASP penetration tests and vulnerability assessments.

Secure Application Development – Best Practices - OWASP Top 10
March 31, 2011 @ Tech Columbus
11:00 am — 1:30 pm - Lunch will be provided

Registration Required

Posted by Douglas Davidson at 02:18 PM in Application Development, Assessments and Tests, Information Security, Information Security Basics, Secure Coding, Secure Value, Secure Web Development | Permalink | Comments (0) | TrackBack (0)

12/16/2010

Information Inventory -- Do you know where your critical data is?

When I am introduced to entrepreneurs and other business leaders I am often asked what technologies my new acquaintance should use to protect the business from hackers.

Technology in and of itself is not going to protect any business.

Most of us running and growing small businesses relay heavily on data and information stored on computers, thumb drives, smart phones, web sites and other electronic locations.

We manage that information with technology.

We also protect that information with technology.

But if we don't start at square one with an understanding of what needs to be protected and where it is, we are going to make poor security technology decisions and waste money.

If information is critical to your business evaluate your security by following this brief exercise.

1. Make a list of all of the critical data and information you rely on to run and grow your business. We call this an information inventory.

For my business, Jacadis, it is 10-years of customer relationship data, our general ledger system, our website at www.jacadis.com, my personal blog at www.secure-value.com, internal recipes of the unique solutions we deliver to the market, as well as unstructured emails and Microsoft Office documents.

2. Where is that information? Next to each entry on your information inventory note where the entry is used, processed or stored.

For one of our clients, an insurance broker who works out of her home, everything is stored on a single PC .

For my business, Jacadis, this information is located at a web-based customer relationship management system, a web-based professional services automation service, as well as on 11 employee systems and a handful of servers. The employee systems are laptops so they exist both on our internal network as well as on the public internet when they are mobile.

3. What information in your business is protected by government regulations or vendor or customer contracts? If you work in the Health Care field or provide services to those that do you may be required to protect information via HIPAA and HITECH. If you take credit card payments, the Payment Card Industry has a say in how you protect the card data.

Unfortunately, the list of potential regulations is quite long. For an overview of the types of requirements you might be responsible for see www.secure-value.com/compliance.

4. Now rank order your inventory. Which information is most critical to your business? The next most? And so on.

5. Now you can start thinking about how to protect it. Start at the top of your list and ask these questions based on where your critical data and information is stored:

Paper-based information: Do you have a lot of paper files, order forms, etc.? Do you keep stored files under lock and key? Do you shred unneeded information?

Laptops and personal computers: Do you keep operating systems and applications patched and up to date? Do you have anti-virus, anti-spam and a personal firewall installed and operating? Do you use strong passwords (if you can find a password in a dictionary it is not a strong password) on all systems, with one password per user? Is the system encrypted so that if it is lost or stolen the data on it will be useless to whoever ends up with it? Do you back up critical files?

Network: If your business has more than two computers you have a network. Protecting a network and the information on it is similar to protecting a PC.

Are operating systems and applications patched and up to date? Is the network protected from the internet with a firewall? Are strong passwords in use on all devices? Do you back up your critical systems?

Web-based tools (or what we call in the tech business as cloud computing providers): Do you trust providers? Is the provider following leading practices to protect their systems and network? How do you know?

If you do not understand the jargon and technology issues find someone who can help you work through this process to secure the information value of your business.

Posted by Douglas Davidson at 07:06 AM in Information Security, Information Security Basics, Secure Value | Permalink | Comments (0) | TrackBack (0)

07/19/2010

10 Laws You Might Be Breaking with Your Computer

Part of information risk management is understanding and acting on the plethora of legal requirements laid down for our businesses to follow. There are Federal level laws like HIPAA, Sarbanes-Oxley, GLBA & FERPA; state level laws like the 47 states that have data protection or data notification statutes as well as private obligations like PCI DSS or individual customer contracts. There are also a number of other legal considerations in that alphabet soup many that go unnoticed.

If you are trying to manage your information risks there are a number of other, not so obvious legal issues that need to be addressed. TechRepublic highlights these in an article I just stumbled on: 10 ways you might be breaking the law with your computer.

The article lists these ten:

Digital Millennium Copyright (DMCA) Act
No Electronic Theft (NET) Act
Anti-Counterfeiting Trade Agreement (ACTA)
Court rulings regarding border searches
State and federal laws regarding access to networks
“Tools of a crime” laws
Cyberstalking and Cyberbullying laws
Internet gambling laws
Child pornography laws
Pro IP Act

Posted by Douglas Davidson at 08:01 AM in Committee Action, Compliance, Information Security, Secure Value | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Anti-Counterfeiting Trade Agreement, Digital Millennium Copyright Act, Health Insurance Portability and Accountability Act, HIPAA, Law, Payment Card Industry Data Security Standard, Risk management, Sarbanes–Oxley Act

06/24/2010

Social media security is a business policy issue NOT a technical security issue

Image by kevindooley via Flickr

Social media security and risk management is a business and communication policy issue NOT a technical issue. Assign responsibility to a business leader and not IT or information security staff.

This week at the Gartner Group's Security and Risk Management Summit, Gartner research director Andrew Walls dropped a contrary statement on the heads of the information security and risk management employees in his workshop. Summarized (from reports on his presentation available on the Internet) he asserted that:

Information security professionals worried about malware, phishing, and information leakage who try to take control or block social media use by employees are treading into water that is similar to monitoring employee's home use of the telephone.

The malware, phishing and other attacks against the social media front are the same attacks that we see against email. Logically, if we are going to block social media why are we not considering blocking email? (NOTE: Because we need it to run and grow our businesses).

At the root of concerns about social media are concerns about its drain on employee productivity. Employee productivity is not a charter concern for information security. It is a management issue.

While the information security and risk management blogosphere lights up with arguments about whether Andrew Walls is on target or off his rocker I wanted to bring the discussion into the realm of the entrepreneur and emerging business management professionals.

I think Walls is dead on.

Too many times I see a communications topic or business process topic turned into a technical topic because it involves technologies unfamiliar to the business manager.

Twitter, Facebook, twits, followers, friends, fans, Zemanta, wiki, widgets .... and so on sounds technical and something the CIO, IT manager or that smart young kid on the help desk should be working on.

But if I boiled it down to communications channels (Twitter, Facebook, LinkedIn, etc.), conversations (twits, posts, etc.) and customers (followers, friends, fans) you could have the conversation. And you'd want to have the conversation if not control it altogether.

Though Walls' message was to information security and risk management professionals managers and leaders in the small and emerging business space need to get it. The decision about social media is a business decision not a technical or a security decision.

Here are some questions for discussion to help guide you in making that decision:

What conversations are appropriate for employees to be having with customers, prospects and the market in general online?
What topics are out of bounds?
What information is considered secret, private and confidential?
What information is regulated by government entities? How does that play into your social media policy (e.g. a doctor's office that allows friend connections from patients may be violating HIPAA)?
Can employees identify themselves as an employee of the firm?
Does that identification obligate them to certain behaviors? If they don't identify themselves as an employee does that expand their freedom?
How do you handle breaches of these policies?
What else concerns you about social media?

Document your answers into a policy statement. Formally share that statement with your employees. Assign ownership of the policy based on which business unit makes the most sense (IT to monitor use on the company network, HR to manage discipline of violations, marketing or IT to monitor your brands exposure in online conversations, IT or information security to manage endpoint controls that help protect against malware, etc.)

And then use social media to run and grow your business.

Posted by Douglas Davidson at 10:20 AM in Committee Action, Compliance, Facebook, Information Security, Leadership, Online Business, Policy, Risk Management, Secure Value, Small Business | Permalink | Comments (2) | TrackBack (0)

06/23/2010

Assess HIPAA Compliance Quickly with 3 Question Test

The 2009 ARRA HITECH Act amended HIPAA's privacy and security requirement in a number of ways. Most importantly it expanded those required to be compliant with HIPAA to include business associates. And in expanding those requirements made BA's eligible for non-compliance penalties. Many BA's we encounter don't know they need to be compliant and are grossly non-compliant. Don't know? Use this quick test.

The HITECH Act directly obligates business associates to comply with the HIPAA Security Rule's administrative, physical and technical safeguard requirements (for full information on HIPAA and HITECH see . This includes conducting a risk assessment, developing and implementing comprehensive written security policies and procedures with respect to the protected health information (PHI) that they handle, and regularly training staff on information handling procedures and security updates.

Though a full HIPAA audit or assessment requires detailed answers to hundreds of questions, we use 3 questions to informally gauge a client's compliance with HIPAA's provisions. Use them yourself to measure whether your organization stacks up against the HIPAA and HITECH rules and regulations:

1. Compliance Officer:

Can you name your HIPAA Compliance Officer? Can everyone on your staff? Can they articulate their role as compliance officer in the organization?

A base requirement of HIPAA is that a covered entity has a named compliance officer.

A no in this category suggests a high likelihood that your organization is not compliant with HIPAA and the amended HITECH act's provisions.

2. Security Awareness:

Do you train your staff annually on proper information handling techniques? Do you update them periodically on security issues such as phishing, fraud, safe online habits, proper computer use, etc.? If an auditor showed up you prove a yes to either of the above questions?

A base requirement of HIPAA is that staff are properly trained AND updated on HIPAA privacy, security and information handling (based on your written policies and procedures).

A no in this category suggests a high likelihood that your organization is not compliant with HIPAA and the amended HITECH act's provisions.

3. Incident response:

Do you have a formal documented plan detailing how you would respond to a breach (break in) of your information systems? Is protected information encrypted?

A base requirement of HITECH was the inclusion of incident response and breach notification provisions.

A no in this category suggests a high likelihood that your organization is not compliant with HIPAA and the amended HITECH act's provisions. A no in this category, as it pertains to information not covered under HIPAA may put you at risk with Ohio's data notification laws, as well.

Nos in any of these categories point to an incomplete HIPAA program. In most cases we can guage the maturity of the client's HIPAA program, without a formal gap assessment, just by measuring their response to these three questions.

Failure by covered entities and business associates to abide by HIPAA and HITECH requirements can result in fines being assessed on both the organization and the individuals involved.

Use this quick test to self-evaluate. If you can't say yes to all 3 questions consider yourself non-compliant and take action.

Posted by Douglas Davidson at 08:55 AM in Committee Action, Compliance, HIPAA, Information Security, Policy, Privacy, Secure Value, Security Awareness, Small Business | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Health Insurance Portability and Accountability Act, HIPAA, HITECH, Security

06/22/2010

HIPAA Business Associates Must Now Comply with HIPAA

Image via Wikipedia

My preparation for a private HIPAA workshop motivated me to remind business owners that engage in business with health care companies that their exposure under HIPAA very likely was amended by HITECH. If you do business with health care entities best check it out to Secure Value.

Under the original HIPAA legislation passed in 1996, a covered entity had to be compliant with the act (and be prepared to be penalized it its provisions weren't followed). Business associates, those entitiies external to the covered entity had to sign a contract with the covered entity holding them accountable to protect the information. The business associates did not have to be compliant with HIPAA's security and privacy provisions.

Many of our clients that are covered entities or business associates providing services to covered entities are well aware of this fact. Unfortunately, it is an outdated fact. When HIPAA first hit the information security and privacy stage those in the health care and related services community familiarized themselves to its provisions, adjusted their operations on the original act and then set those adjustments in stone.

With the HITECH act, passed as part of the stimulus package in February, 2010, business associates must now comply with HIPAA's security provisions and must act to protect the privacy of Protected Health Information. These business associates are also now eligible for the penalities for failing to comply listed under HIPAA and HITECH.

Unfortunately, many of customers we encounter through our security assessment business that are considered business associates are unaware of (and frankly fight acknowledging) the changes. The covered entities also seem to be confused on the topic and have done a disservice in not communicating these changes to the business associates.

If you hold business associate agreements with covered entities it would be wise to conduct some research into the impact of HITECH on your business as well as a self-assessment of your information security program against HIPAA's security provisions.

Some of those penalties are criminal in nature, by the way.

Posted by Douglas Davidson at 01:51 PM in Compliance, HIPAA, Information Security, Risk Management, Secure Value | Permalink | Comments (4) | TrackBack (0)

Technorati Tags: Health care, HIPAA, Privacy, Security

Secure Value

Secure Value focuses on information security issues that impact the value of start up and growth oriented small and medium businesses.