Overview

Thank you for visiting the NYS Office of Information Technology Services (ITS) website. This website is designed to make it easier and more efficient for New York State citizens and businesses to learn about technology initiatives in New York State (State) government and to interact with ITS. ITS recognizes that visitors to this website are concerned about their privacy. ITS is committed to preserving your privacy when visiting this website.

Consistent with the provisions of the Internet Security and Privacy Act, the Freedom of Information Law and the Personal Privacy Protection Law, this policy describes ITS's privacy practices regarding information collected from users of this website. This policy describes what data is collected and how that information is used. ITS may, at its sole discretion, change modify, add, or delete portions of this policy. Because this privacy policy only applies to this website, you should examine the privacy policy of any website, including other State websites, you access through this website.

For purposes of this policy, personal information means any information concerning a natural person, as opposed for instance to a corporate entity, which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person. ITS only collects personal information about you when you provide that information voluntarily by sending an e-mail or by initiating an online transaction, such as a survey, registration or order form.

Information Collected Automatically When You Visit This Website

When visiting this website ITS automatically collects and stores the following information about your visit:

None of the foregoing information is deemed to constitute personal information.

This information that is collected automatically is used to improve this website's content and to help ITS understand how people are using this website. This information is collected for statistical analysis, to determine what information is of most and of least interest to our visitors, and to identify system performance or problem areas. The information is not collected for commercial marketing purposes and ITS does not sell or distribute the information collected from the website for commercial marketing purposes.

Cookies

Cookies are simple text files stored on your web browser to provide a means of distinguishing among users of this website. The use of cookies is a standard practice among Internet websites. In order to better serve you, we may use "temporary" cookies to enhance, customize or enable your visit to this web site. Temporary cookies do not contain personal information and do not compromise your privacy or security and are erased during the operation of your browser or when your browser is closed.

During your visit to this website, you may complete a registration form in order to personalize your use of the website. In such an event, we may deliver a "persistent" cookie which would be stored on your computer's hard drive. This persistent cookie will allow the website to recognize you when you visit again and tailor the information presented to you based on your needs and interests. ITS uses persistent cookies only with your permission.

The software you use to access the website allows you to refuse new cookies or delete existing cookies. Refusing or deleting these cookies may limit your ability to take advantage of some of the features of this website.

Information Collected When You Email this Website or Initiate an Online Transaction Through this Website

If during your visit to this website you send an email to ITS, your email address and the contents of your email will be collected. The information collected is not limited to text characters and may include audio, video, and graphic information formats you send us. The information is retained in accordance with the public record retention provisions in the State Arts and Cultural Affairs Law. Your email address and the information contained in your email will be used to respond to you, to address issues you identify, to further improve this website, or to forward your email to another agency for appropriate action. Your email address is not collected for commercial marketing purposes and ITS does not sell or distribute your email address for any purposes.

During your visit to this website you may initiate a transaction such as a survey,registration or order form. The information, including personal information, volunteered by you in initiating the transaction is used by ITS to operate ITS programs, which include the provision of goods, services and information. The information collected by ITS may be disclosed by ITS for those purposes that may be reasonably ascertained from the nature and terms of the transaction in connection with which the information was submitted by you.

Currently, ITS does not knowingly collect personal information from children or create profiles of children through this website. People are cautioned that the collection of personal information provided by any individual in an email or through an online transaction will be treated the same as information given by an adult, and may, unless exempted from access by federal or State law, be subject to public access. ITS encourages parents and teachers to be involved in children's Internet activities and to provide guidance whenever children are asked to provide personal information on-line.

Information and Choice

As noted above, ITS does not collect any personal information about you during your visit to this website, unless you provide that information voluntarily by sending an e-mail or initiating an online transaction such as a survey, registration, or order form. You may choose not to send us an e-mail, respond to a survey or complete an order form. While your choice not to participate in these activities may limit your ability to receive specific services or products through this website, it will not prevent you from requesting services or products from ITS by other means, and will not normally have an impact on your ability to take advantage of other features of the website, ncluding browsing or downloading most publicly available information.

Disclosure of Information Collected Through This Website

The collection of information through this website and the disclosure of that information are subject to the provisions of the Internet Security and Privacy Act.ITS will only collect personal information through this website, or disclose such personal information, if the user has consented to the collection and disclosure of such personal information. The voluntary disclosure of personal information to ITS by the user, whether solicited or unsolicited, constitutes consent to the collection and disclosure of the information by ITS for the purposes for which the user disclosed the information to ITS, as was reasonably ascertainable from the nature and terms of the disclosure.

However, ITS may collect or disclose personal information without user consent if the collection or disclosure is: (1) necessary to perform the statutory duties of ITS, or necessary for ITS to operate a program authorized by law, or authorized by state or federal statute or regulation; (2) made pursuant to a court order or by law; (3) for the purpose of validating the identity of the user; or (4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.

Further, the disclosure of information, including personal information, collected through this website is subject to the provisions of the Freedom of Information Law and the Personal Privacy Protection Law. Additionally, ITS may disclose personal information to federal or State law enforcement authorities to enforce its rights against unauthorized access or attempted unauthorized access to ITS's information technology assets and any other inappropriate use of its website.

Retention of Information Collected Through this Website

The information collected through this website is retained by ITS in accordance with the records retention and disposition requirements of the New York State Arts and Cultural Affairs Law. Information on the requirements of the Arts and Cultural Affairs Law may be found at http://www.archives.nysed.gov/records/mr_laws_acal5705.shtml. In general, the Internet services logs of ITS, comprising electronic files or automated logs created to monitor access and use of state agency services provided through this website, are retained for one year and then destroyed. Information, including personal information that you submit in an e-mail or when you initiate an online transaction such as a survey, registration form, or order form is retained in accordance with the records retention and disposition schedule established for the records of the program unit to which you submitted the information. Information concerning these record retention and disposition schedules may be obtained through the Internet privacy policy contact listed in this policy.

Access to and Correction of Personal Information Collected Through this Website

Any user may submit a request to the ITS privacy officer to determine whether personal information pertaining to that user has been collected through this website. Any such request shall be made in writing to the address below and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification. The address of ITSs privacy compliance officer is: Privacy Officer, Office for Technology, State Capitol ESP, PO Box 2062, Albany, New York 12220-0062.

The privacy compliance officer shall, within five (5)business days of the date of the receipt of a proper request: (i) provide access to the personal information; (ii) deny access in writing, explaining the reasons therefore; or (iii) acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not be more than thirty (30)days from the date of the acknowledgment.

In the event that ITS has collected personal information pertaining to a user through the state agency website, and that information is to be provided to the user pursuant to the users request, the privacy compliance officer shall inform the user of his or her right to request that the personal information be amended or corrected under the procedures set forth in section 95 of the Public Officers Law.

Confidentiality and Integrity of Personal Information Collected Through this Website

ITS limits employee access to personal information collected through this website to only those employees who need access to the information in the performance of their official duties. Employees who have access to this information are required to follow appropriate procedures in connection with any disclosures of personal information.

In addition, ITS has implemented procedures to safeguard the integrity of its information technology assets, including, but not limited to, authentication, monitoring, auditing and encryption. These Security measures have been integrated into the design, implementation, and day-to-day operations of this website as part of our continuing commitment to the security of electronic content as well as the electronic transmission of information.

NOTE: The information contained in this policy should not be construed in any way as giving business, legal, or other advice, or warranting as fail proof, the security of information provided via this website. For site security purposes and to ensure that this website remains available to all users, ITS employs software to monitor traffic to identify unauthorized attempts to upload or change information or otherwise cause damage to this website.

Links Disclaimer

In order to provide visitors with certain information, this website provides links to local, State and federal government agencies, and websites of other organizations. A link does not constitute an endorsement of the content, viewpoint, accuracy, opinions, policies, products, services, or accessibility of that website. Once you link to another website from this website, including one maintained by the State, you are subject to the terms and conditions of that website, including, but not limited to, its privacy policy.

Information Disclaimer

Information provided on this website is intended to allow the public immediate access to public information. While all attempts are made to provide accurate, current, and reliable information, ITS recognizes the possibility of human and/or mechanical error. Therefore, ITS, its employees, officers and agents make no representations as to the accuracy, completeness, currency, or suitability of the information provided by this website, and deny any expressed or implied warranty as to the same.

Contact Information

For questions regarding this Privacy Policy please email ITS at [emailprotected].

Original post:
ITS Internet Security and Privacy Policy | New York State ...

Dominic Raab has announced 22 million worth of investment to bolster cyber security capabilities in developing countries as he warned hostile state actors and criminal gangs are using technology to undermine democracy.

It comes as NGOs dismissed a claims by U.K.Foreign Secretary Dominic Raab thatno one is going hungry because we havent signed checks as shocking and simply not true. Following the economic shock of the coronavirus crisis,the chancellor cut the foreign aid budgetfrom 0.7% to 0.5% of total national income a reduction of around 4bn.

Cuts to humanitarian aid by the UK are a tragic blow for many of the worlds most marginalised people, 200 charities said in a joint statement, in April.

Organisations including Save the Children and Oxfam said humanitarian assistance was being reduced by more than 500m.

While the UK will continue cutting aid through 2021, Joe Biden announced this month an increase of $5.4bn (3.9bn) or 10% for USAid, the US governments international development agency.

Aid organizations are still grappling with funding uncertainty despite being weeks into a new financial year and have said they are gravely concerned about the impact their programs will feel from U.K. aid cuts, including in Syria, Yemen, and the Democratic Republic of Congo.

Jean-Michel Grand Action Against Hungers Grandsaid Raabs comment was simply not true. He wrote: Right now in the DRC, 27 million people are going hungry, and 22 days into the new financial year our teams are still waiting for assurances on their funding. Health centres will close. Lives will be lost.

The co-founder and co-CEO of Purposeful in Sierra Leone said: The timing of this is terrible not just because of the G7 and pandemic. It will means thousands of girls will not have access to life-saving sexual reproductive facilities. It undercuts the UKs moral authority. These are political cuts.

The Foreign Secretary told the CyberUK conference that authoritarian regimes including North Korea, Iran, Russia and China are using digital technology to sabotage and steal, or to control and censor.

Speaking at the conference on Wednesday, Mr Raab urged for international law to be respected in cyber space and concluded there is a need to clarify how rules around online activity are enforced.

The UK, jointly with Interpol, will set up a new cyber operations hub in Africa working across Ethiopia, Ghana, Kenya, Nigeria and Rwanda to support joint operations against cyber crime.

In a speech four years on from the WannaCry ransomware attack, which hit the NHS and affected hospitals across England and Scotland, Mr Raab said cyber criminals now also acted as a threat to democracy.

He said: There is also a democratic dimension to the threats that we see because elections are now a prime target.

The Foreign Secretary referred to the UKs 2019 general election, which he said Russian actors attempted to interfere with, as well as multiple cyber attacks during the 2016 and 2020 US elections.

In the last year alone, the National Cyber Security Centre dealt with 723 major cyber security incidents, the highest figure since the agency was formed five years ago, according to the Foreign Secretary.

Some of this activity is aimed at theft or extortion, but it all too often is simply focused on sabotage and disruption, he told the conference.

I think its worth saying these actors are the industrial-scale vandals of the 21st century.

These hostile state actors, the criminal gangs, they want to undermine the very foundations of our democracy.

Outlining the UKs strategy in dealing with such threats, including advice to businesses and families, Mr Raab said the efforts were starting to pay off as the nation made improvements in disrupting and deterring malicious activity.

We want to see international law respected in cyberspace, just as we would anywhere else, he told the conference.

We need to show how the rules apply to these changes in technology, the changes in threats, and the systematic attempts to render the internet a lawless space.

Our challenge is to clarify how those rules apply, how they are enforced, and guard against authoritarian regimes bending the principles to meet their own malicious ends.

The 22 million of new funding is set to support cyber capacity in vulnerable countries, particularly in Africa and the Indo-Pacific, which will go towards supporting cyber response teams and online safety awareness campaigns.

Mr Raab added: We can lead internationally in protecting the most vulnerable countries and at the same time bring together a wider coalition of countries to shape international rules that serve the common good.

Related: European Commission worried about EU citizens detained by UK

Since you are here, we wanted to ask for your help.

Journalism in Britain is under threat. The government is becoming increasingly authoritarian and our media is run by a handful of billionaires, most of whom reside overseas and all of them have strong political allegiances and financial motivations.

Our mission is to hold the powerful to account. It is vital that free media is allowed to exist to expose hypocrisy, corruption, wrongdoing and abuse of power. But we can't do it without you.

If you can afford to contribute a small donation to the site it will help us to continue our work in the best interests of the public. We only ask you to donate what you can afford, with an option to cancel your subscription at any point.

To donate or subscribe to The London Economic, click here.

The TLE shop is also now open, with all profits going to supporting our work.

The shop can be found here.

You can also SUBSCRIBE TO OUR NEWSLETTER .

Excerpt from:
Cant eat the internet! Raab pledges 22m cyber security for vulnerable countries as 4bn cut from foreign aid - The London Economic

Disinformation is undoubtedly on more peoples radars. But just because we know more about it doesnt mean we are better prepared to face the challenge it is posing.

With normal cyber-attacks, governments and organizations are often targeted directly. Disinformation is different. Instead of attacking core infrastructure, bad actors or nation states attack the population by attempting to skew their beliefs.

Disinformation, a form of misinformation that is createdspecificallyto manipulate or mislead people, is becoming more prevalent mainly because its easy to create and disperse. The tools behind deepfakes and malicious botshave been democratized, creation can now be automated and disinformation-as-a-service has emerged.

The threat of disinformation has two key components. Nation states and bad actors use it to discredit governments and organizations, and target employees to infiltrate businesses from the inside.

In the UK, experts recently told a House of Lords inquiry that upcoming legislation should force internet companies to provide real-time information on disinformation. While CIOs cannot tackle this problem alone, they can take some steps to mitigate the risk.

Retaining Credibility

Nation states and bad actors can harm governments and organizations without targeting them directly utilizing a cyber-attack. For instance, they could impact the number of coronavirus vaccines administered by the National Health Service (NHS) by using disinformation to sow distrust about vaccine effectiveness or safety. Late last year, the media reported that hackers tried to break into the systems of researchers at AstraZeneca and the University of Oxford. In response, the National Cyber Security Centre (NCSC) stated that it was working to protect the UKs most critical assets, the health sector and crucial vaccine research and development against threats.

Its hard to control how disinformation spreads, but awareness campaigns can be run to counter the threat of disinformation, while also creating certified FAQs and resource pages.

In November 2020, the UK government and social media platforms agreed a package of measures to reduce vaccine disinformation. This includes ensuring a timely response to disinformation content flagged to platforms and joining new policy forums to prepare for future threats. In March 2021, the government also launched a social media campaign to tackle false vaccine information shared amongst ethnic minority communities.

While CIOs alone cannot regain control of information in the internet age, governments can consistently remind people that they represent a reputable source and can be diligent in only driving citizens tootherreputable sources. Governments and departments may even look to more traditional efforts, like marketing, in order to disseminate verified information.

Educating and Protecting Employees

But what does this have to do with a cybersecurity company? Some types of disinformation can lead to insider threats. Social media and other sources of inaccurate information can radicalize employees, who may feel compelled to steal sensitive data or IP. For example, activist group QAnon left breadcrumbs of secrets peppered with pledges and pro-Trump themes on message board 4chan.

Just as disinformation is now for sale, insider-threat-as-a-service also exists. While bad actors and nation states formerly attempted to bribe and extort their way to sensitive information, they can now either serve disinformation to existing employees, or ultimately become employees themselves.

To prepare for the former, organizations and governments need to implement more disinformation education and training programs. Employees should be required to take training to recognize disinformation and understand the techniques that can be used to skew the publics common belief system, the use of verifiable information fused with false information to alter narratives and how to discredit reliable sources. As this relates directly to insider threats, by helping employees validate sources, organizations are protecting their data in the long run.

Additionally, in order to combat both types of insider threat, organizations and governments must be adept at continuous monitoring of user behavior. By having a baseline of normal user behavior, IT teams can determine if a radicalized employee is attempting to hoard data or access restricted information. There is simply no way to completely eliminate the threat of disinformation and malicious insiders. Thus, IT teams must put behavioral analytics in place to quickly identify and respond to potentially dangerous user behavior.

The Bottom Line

The tough reality is that, in an age of social media, there is no silver bullet to combat this real and growing threat.Everyonemust be diligent about questioning what they see online, rather than simply taking it at face value and internalizing it as facts. IT professionals in governments and organizations should be most concerned about disinformation undermining their own credibility and potentially turning their own employees against them.

Awareness is crucial to combating disinformation, but it should be supplemented by behavioral analytics. CIOs should proceed as if disinformation is already impacting both their employees and citizens because it is. This is an all-hands-on-deck issue and its time to combat the threat of disinformation today.

Here is the original post:
Governments and Organizations Can't Ignore Threats Posed by Disinformation - Infosecurity Magazine

On April 14, 2021, the Department of Labor (DOL) issued its first set of guidance documents related to the cybersecurity of retirement benefit plans covered by the Employee Retirement Income Security Act (ERISA). The three-part guidance is aimed at various stakeholdersplan fiduciaries, service providers, plan participants and beneficiariesand provides cybersecurity expectations for plan fiduciaries and best practices for their service providers.

Cybersecurity has become an area of critical importance to plan sponsors and administrators of employee benefit plans, as well as their service providers, as they increasingly rely on the Internet and IT systems to administer those plans. In a February 2021 Government Accountability Office (GAO) Report, the GAO, an independent and non-partisan U.S. legislative agency that monitors and audits government spending and operations, highlighted the significant cybersecurity risks to benefit plans and called on the DOL to clarify responsibilities for fiduciaries and provide guidance related to minimum cybersecurity expectations. Although DOLs recent guidance is sub-regulatory guidance, which does not have the authority of federal agency regulations under the Administrative Procedure Act (APA), the guidance presents DOLs first official action focused on mitigating the significant cybersecurity risks to participant data and plan assets.

DOLs three pieces of cybersecurity guidance target different audiences and emphasize the importance of each stakeholders role in preventing fraud and loss. The following is a brief summary of each guidance document.

DOLs guidance makes clear the protection of participant data and plan assets from cybercriminals is a critical consideration for all benefit plan stakeholders. ERISA establishes minimum standards and requirements intended to protect plan participants and beneficiaries in private sector benefit plans and requires plan fiduciaries to act prudently when administering plans. But ERISA regulations are silent on how plan constituents should comply with these requirements. Prior to issuing its guidance, DOL had not clarified its view as to whether plan administrators were responsible for mitigating cybersecurity risks. The recent literature makes clear that in DOLs view, retirement plan fiduciaries are obligated to ensure the proper mitigation of cybersecurity risks, and the guidance provides helpful data points for plan record-keepers and service providers to protect plan data.

In light of DOLs guidance, plan sponsors and administrators that handle data management in-house that have yet to develop a formal cybersecurity program should do so now, and those with cybersecurity programs currently in effect should re-evaluate those programs to ensure they align with DOLs suggested best practices. Plan sponsors and administrators should also revisit their contractual engagements with service providers to ensure they have adopted a well-documented cybersecurity program that offers adequate protections in the event of a breach. Although the guidance is framed as tips and best practices and currently has no enforcement mechanism, it signals the DOLs heightened focus on cybersecurity in light of more frequent attacks and increasingly sophisticated breach techniques. The guidance specifically addresses retirement plans, but fiduciaries of health and welfare plans are subject to the same fiduciary responsibilities under ERISA. Stakeholders should evaluate their cybersecurity practices and policies and implement the DOLs best practices where possible to ensure their benefit plans do not fall victim to data compromise.

See original here:
Department of Labors Cybersecurity Guidance for Benefit Plans Signals Increased Scrutiny - JD Supra