[Dataloss] hard drive destruction
Al Mac
macwheel99 at sigecom.net
Thu Aug 17 02:41:58 EDT 2006
Remember that SOX only applies to companies doing business in USA that are
traded on the stock market. Many large companies are privately held.
Looking at recent large breaches
Ernst & Young ... multiple breaches with records on different companies
* BP employees
* Cisco employees
* Hotels.com
* IBM employees
* Nokia employees
* Sun Microsystems employees
I think they are based in Britain, so different laws may be applicable than
those in USA
Hummingbird in Canada breached 1,300,000 US students
these are public companies in USA
American Insurance Group ... 930,000
Automated Data Processing .. hundreds of thousands
IBM ... 17,781,462
Marsh Insurance ... 540,000 .
I do not believe the American Red Cross is
several incidents, big one = 1 million people
or American Institute of Certified Public Accountants (330,000)
or Vassar Brothers Medical Center (257,800)
It might be of interest to know what proportion of breaches occurred at
institutions not covered by SOX CFR GLBA HIPPA etc. In other words the
only rules that applied to them were the breach disclosure laws, and good
governance without any mandate for it..
Alphabet soup of some data security standards
http://www.unbeatenpathintl.com/ITstandards/source/1.html
I think a large proportion of breaches overall have been at Colleges and
Universities. I don't think any of them are covered by SOX. However, the
number of victims per academia incident generally smaller compared to
incidents by Government and Financial Institutions ... I think the banks
are heavily regulated, such as by GLBA, bank regulators, and the credit
card standards, and most of them public companies.
There's also the question of what industries appear to have avoided having
any significant breaches, and the numbers of non-victims (because no
breaches) involved there.
>This whole security and accountability issue adds a new level of
>complexity to outsourcing and offshoring IT capabilities. Data breaches
>aside, when SoX moves from 404 to 409, I cannot help but wonder how some
>business entities will demonstrate compliance, when all of their
>physical data handling occurs outside of their physical control. It is
>deceptively easy to comply with security requirements on paper.
>
>Of course The Information Security ISO 17799 and ISO 27001 will add
>additional levels of complexity. The combination of executive
>accountability (in terms of actually going to jail) for financial data,
>and the vulnerability of personal data (often stored on the same
>systems) will make the next 5 years.... Interesting.
>
>Andy Dail
>Sunoco PCI Project Manager
More information about the Dataloss
mailing list