[Dataloss] rant: Abandon Ship! Data Loss Ahoy!

James Ritchie, CISA, QSA james_ritchie at sbcglobal.net
Sat Mar 22 01:36:34 UTC 2008 

Here is an article that is very relevant to the concepts that have been 
talked about under this thread.  This is from an attorney and dealing 
with PCI contractual compliance.  Once you finish reading  the document, 
it would not be a far stretch for a civil suit on a data breach  (not 
just  PCI related) but using the require controls of the DSS as a 
standard of due care. All company executives, time to start having your 
legal staff involved with each any every piece of compliance that your 
company faces.  Here is the link.
http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html
 

Al Mac Wheel wrote:
> There will never be one perfect solution for all enterprises and 
> government agencies.
>
> The risks are different depending on:
> * The nature of the data and software that needs to be protected, from 
> what kinds of threats, which vary with the industry.
> * The computer operating system, computer languages supported, access 
> methods.
> * Just as a lot of software was designed for a long ago reality, when 
> the needs were less sophisticated, many buildings have security holes 
> ... false ceilings that a human can travel over, circumventing locked 
> doors, being the most obvious.
> * If a company does not own the building where their offices are 
> located, the landlord has keys to the place, which may be accessible 
> to a dishonest employee.  Also there may be other businesses in the 
> same building, with weaker security.  Crooks break into the weakest 
> link, then get through the building into their ultimate target.
> * In our interconnected world, other enterprises can connect to our 
> systems ... some of this is mandated by government regulations, some 
> of it due to how our business functions.  Let's suppose we have given 
> access to our systems to tech support, consultants, auditors, etc. & 
> let's suppose that outfit gets penetrated ... can the penetration 
> extend to all the places they have access to?  We know there are 
> viruses that target e-banking software, so that if we do electronic 
> financial transfers ... everyone we do business with can be a weak link.
>
> However, there can be some standards that cross systems.
>
> Some upgrades require temporary relaxing of some security.  There are 
> inspections that should be run after all upgrades, to ensure that 
> certain security standards are once again in place.  They should be 
> run whether or not the people, doing the upgrades, knowingly relaxed 
> any standards.
>
> In addition to inspection to see if embezzlement going on, there can 
> also be inspection to see if people are keying sensitive information 
> into data areas whose labeling is non-sensitive information.
>
> It is not enough to train people, and pass out policy manuals.  There 
> has to be a process of testing that the people are following the 
> rules, such as not to photocopy or fax certain sensitive information, 
> to have encryption on portable data storage devices that leave company 
> property, to lock facilities properly every night, promptly report 
> anything lost or stolen.
>
> Testing software changes is done because we expect that something may 
> go wrong, so the test data base should not contain sensitive data on 
> real people, but rather data that is a simulation of the data to be 
> tested.
>
> I had suggested in my work place ... the IBM OS tracks software and 
> data usage ... I can show how heavily we use what ... the auditors can 
> be told what is used to run our business on a regular basis ... they 
> can designate 2-3 programs, data sets, etc. to be inspected by a 
> computer auditor who is an expert on our application systems to 
> produce a report on what this is really doing, how accurate it is, to 
> be matched with the external auditors statement of how it has been 
> represented to them by the end users.  Do the two stories match?  
> Depending on the results, they see how frequent it is wise to pick 
> other such samples in future audits.
>
> I had suggested this due to the multiplicity of PC tools on people 
> personal work stations & end users divorced from internal logic of the 
> tools, or software designed by co-workers, and the evolving business, 
> where we are depending on tools designed years ago, for realities that 
> no longer exist today.
>
> Manny Cho wrote:
>> I agree with Sanford in that this incident (and all of the other loss 
>> notices that post every day to this site) is indicative of the fact 
>> that the idea of �one solution� or one perfect product is just not a 
>> reality today.  
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>   

-- 
James Ritchie
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+

Linkedin http://www.linkedin.com/pub/1/b89/433 

Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening.

This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions.  

This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080321/c5b00545/attachment.html

More information about the Dataloss mailing list