<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I absolutely agree – securing information is only a part
of privacy laws and principles. A culture of security and privacy starts
with an understanding of the company’s culture, recognition of privacy
and security as a risk, an understanding of applicable laws and regulations
(GLBA, FACTA, FTC Fair Information Practices, etc.), and policy development that
includes both privacy and security policies. Tracy’s comments
below, who, what, when, where, and why, should apply to both processes (“hands-on”)
and technology controls.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Technology can support those policies, but it’s ongoing
training and awareness that will truly develop a culture of privacy. Management
and employee performance reviews should include privacy and security awareness
as a key metric, especially in a business process or role that has access to
customers or customer data.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Great discussion – <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Eric Nelson, CIPP<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>President<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Secure Privacy Solutions<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="http://www.SecurePrivacySolutions.com">www.SecurePrivacySolutions.com</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <b>On
Behalf Of </b>Tracy Blackmore<br>
<b>Sent:</b> Thursday, March 20, 2008 2:50 PM<br>
<b>To:</b> James Ritchie, CISA, QSA; dataloss@attrition.org<br>
<b>Subject:</b> Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div id=idOWAReplyText52770>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Something I haven't seen in this thread is...</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Many
companies give either consultants or manufacturers loads of money to 'secure'
them or 'verify' that they are secure. being a consultant myself I've
seen this all too often. This (obviously) does little to actually secure
anything!</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>To
properly secure something companies must create a culture of security -
starting with solid policies that are more than pieces of paper that sit in a
book until the auditor needs them.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Only
with these policies that define the who, what, when, where, why, and how can
good controls be put into place that support those policies.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Any
old fool can purchase a firewall and put it on the network - but I could tell
you stories of how many I've come across with the old Any/Any rule because of
lack of proper policies.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>And
then companies like Qualys... I think they offer a great service - but too many
companies think that just because they use that service that they are
secure. Qualys does NOTHING but offer information. How a company
uses that information, if at all, is up to the company!</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Me
personally? I'd take security out of the hands of the IT department! Give
it to a non-IT CSO who is dedicated to developing that culture of security with
the proper policies to back it up. With that, proper guidance can be
passed on to the IT department to deploy the controls necessary to support
them.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Tracy
Blackmore, CISSP</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Independent
Consultant</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>T.S.
Lad, Inc.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><a
href="http://www.tslad.com">www.tslad.com</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> dataloss-bounces@attrition.org on behalf of
James Ritchie, CISA, QSA<br>
<b>Sent:</b> Thu 3/20/2008 1:44 PM<br>
<b>To:</b> dataloss@attrition.org<br>
<b>Subject:</b> Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!</span><o:p></o:p></p>
</div>
<div>
<p><span style='font-size:10.0pt'>Being compliant does not mean being secure
and being secure does not<br>
mean being compliant. What most people forget with all the compliance<br>
is that constant vigilance must be maintained. Does that mean daily,<br>
weekly, monthly, quarterly, or annually that you have to verify that the<br>
controls are working appropriately? What I think will be the outcome is<br>
if appropriate due diligence and due care can be shown as fact, the<br>
liability will be reduced or eliminated. They will compare the actions<br>
taken and of similar size companies to see if what they had done was<br>
appropriate. To make any company 100% secure, the cost of security would<br>
be so prohibited, the company would be bankrupt. There has to be a<br>
balance and reasonable effort shown.<br>
<br>
Adam Shostack wrote:<br>
> On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote:<br>
> | > On the public policy issue, I agree. If you want companies to
disclose<br>
> | > the exact circumstances around a breach (exact technical
details), there<br>
> | > will have to be a shield that prevents plaintiffs attorney's
from using<br>
> | > the information in lawsuits.<br>
> |<br>
> | You highlight an interesting trade-off. It may be the case that more<br>
> | disclosure would reduce incentives to prevent future breaches,<br>
> | depending on how we understand the problem.<br>
> |<br>
> | A standard policy tool for enforcing maximum diligence is the threat<br>
> | of lawsuits, massive ones that can wreck a corporation. If we follow<br>
> | this liability argument (as advanced by Schneier and other scholars of<br>
> | the economics of information security) then making concessions to<br>
> | corporate defendants can impede the end goal of less data retention<br>
> | and greater data protection.<br>
> |<br>
> | If we don't think we're ever going to get there, then more data about<br>
> | breaches for the purposes of research is clearly the greater good.<br>
> | This is a very interesting dynamic. I'll have to think about how to<br>
> | model it...<br>
><br>
> For this policy to be effective, costs must be aligned with a failure<br>
> to take effective measures. Today, we lack the data to asses how<br>
> effective various 'best practices' or standards are. Gene Kim and<br>
> company have done work showing that a few part of COBIT are key, and<br>
> others are not correlated with they outcomes they studied. (There's
a<br>
> CERIAS talk video you can find.) There's claims that Hannaford was<br>
> PCI complaint. Shouldn't that have made them secure?<br>
><br>
> So lawsuits today are random. With better data, we may be able to<br>
> better attribute blame. Perhaps this shapes a temporary liability<br>
> shield, with a goal of revisiting it later, or allowing case law to<br>
> shape it for a while?<br>
><br>
> Adam<br>
><br>
> _______________________________________________<br>
> Dataloss Mailing List (dataloss@attrition.org)<br>
> <a href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>
><br>
> Tenable Network Security offers data leakage and compliance monitoring<br>
> solutions for large and small networks. Scan your network and monitor your<br>
> traffic to find the data needing protection before it leaks out!<br>
> <a href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a><br>
><br>
> <br>
<br>
--<br>
James Ritchie<br>
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+<br>
<br>
Linkedin <a href="http://www.linkedin.com/pub/1/b89/433">http://www.linkedin.com/pub/1/b89/433</a><br>
<br>
Attachments with this email, not explicitly referenced, should not be opened.
Always scan your email and their associated attachments for viruses prior to
opening.<br>
<br>
This message and any accompanying documents are confidential and may contain
information covered under the Privacy Act, 5 USC 552(a), the Health Insurance
Portability and Accountability Act (PL 104-191), or the Electronic
Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing
regulations and must be protected in accordance with those provisions.
Unauthorized disclosure or failure to maintain the confidentiality of the
information may result in civil or criminal sanctions. <br>
<br>
This e-mail is strictly confidential and intended solely for the addressee.
Should you not be the intended addressee you have no right to any information
contained in this e-mail. If you received this message by mistake you are
kindly requested to inform us of this and to destroy the message.<br>
<br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
<a href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>
<br>
Tenable Network Security offers data leakage and compliance monitoring<br>
solutions for large and small networks. Scan your network and monitor your<br>
traffic to find the data needing protection before it leaks out!<br>
<a href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a></span><o:p></o:p></p>
</div>
</div>
</body>
</html>