Security and Privacy

Article 17 paragraph 1 of the GDPR states " The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies..."   https://gdpr-info.eu/art-17-gdpr/ Article 17 paragraph 2 of the GDPR states " Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller,  taking account of available technology and the cost of implementation , shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data." It is important to pay attention to the bolded words above.  Because currently available technology and cost of impl...

This blog is a study in how to do Identity and Access Management wrong.  I am going to pick on an organization that I am a member of known as (ISC)2.  (ISC)2 is responsible for the certification and continued education of computer system information security professionals who bear the prod title (CISSP). They are also the poster child on how to implement security in such a way that the system becomes unusable and unavailable because they are not terribly adept at identity and access management (one of the cornerstones of information systems security).  So let us begin the critique. We will begin with one of the most important and frequently one of the most poorly implemented aspects of identity and access management.  Password management recovery.  But before we begin discussing the flaws in the (ISC)2 implementation of password management recovery let's look at some more pervasive issues around passwords as an authentication factor. In the Authentication ...