Maybe that's their problem. All employees should be required to read
and follow information security policies and procedures to protect
data, and in the real world, even when employees are required to read
it (they often don't even know the 150 page doc exists), they're likely
to be in a near-comatose drooling trance long before they finish
reading 150 pages of policies and standards.
<br><br>The most effective way to do it that I've seen is through
mandatory training and awareness campaigns. Without fully analyzing the
cause of all their breaches, this theory is not much more than hot air,
but it is, at the very least, a likely contributor.
<br><br>--Adrian<br><br><div><span class="gmail_quote">On 1/11/07, <b class="gmail_sendername">George Toft</b> <<a href="mailto:george@myitaz.com">george@myitaz.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
In UC's defense, they have a very aggressive information protection<br>policy - something like 150 pages of policy/procedure designed to<br>protect information as required by GLBA (it's been a while since I read<br>
it, so my page count might be off).<br><br>I think they are the exception rather than the rule as they've done more<br>than most to protect their data.<br><br>George Toft, CISSP, MSIS<br>My IT Department<br><a href="http://www.myITaz.com">
www.myITaz.com</a><br>623-203-1760<br><br>Confidential data protection experts for the financial industry.<br><br><br>Richard Forno wrote:<br>> They Take it Seriously? Oh, Sure<br>> January 9th, 2007 by Dan Gillmor<br>
><br>> (I originally wrote this for PR Week magazine.)<br>><br>> Several weeks ago, UCLA acknowledged that some of its computers had been<br>> hacked. Obeying a state law, it notified more than 800,000 people that their
<br>> personal data, including Social Security numbers, might have ended up in the<br>> wrong hands.<br>><br>> The fact that the data got loose wasnıt all that striking. Unfortunately,<br>> thatıs all too common. What struck me was this statement from a hapless UCLA
<br>> honcho: ³We have a responsibility to safeguard personal information, an<br>> obligation that we take very seriously.²<br>><br>> When and where have I heard that before? All kinds of times and places,<br>
> actually. Itıs becoming a mantra that means almost nothing.<br>><br>> Try this: Plug ³we take² and ³very seriously² into a Google News or Yahoo<br>> News search. Youıll get hundreds of hits, albeit some repeats, where some
<br>> big institution - corporate, educational, government, whatever - makes a<br>> giant blunder and then issues a ³we take (insert the violated policy) very<br>> seriously² statement.<br>><br>> < - >
<br>><br>> <a href="http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/">http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/</a><br>><br>><br>> _______________________________________________
<br>> Dataloss Mailing List (<a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br>> <a href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>> Tracking more than 143 million compromised records in 529 incidents over 6 years.
<br>><br>><br>><br>><br>_______________________________________________<br>Dataloss Mailing List (<a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br><a href="http://attrition.org/dataloss">
http://attrition.org/dataloss</a><br>Tracking more than 143 million compromised records in 530 incidents over 7 years.<br><br><br></blockquote></div><br>