[Dataloss] fringe Federal law and ID theft prevention

Adam Shostack adam at homeport.org
Thu Sep 4 19:31:29 UTC 2008 

You're welcome!  No argument that training is important-given the FTC
requirements.  At the same time, I'm curious--what do such programs
entail?  Do programs aspire to anything beyond "ensure we're
training?" How are organizations testing their effectiveness?

Adam

On Thu, Sep 04, 2008 at 01:00:31PM -0600, Derek Rigsby wrote:
| Adam,
| 
| Thanks for catching that misstep in my comments.  My intention was to say
| "Training ALL employees on a regular basis is important not just new
| employees as they are hired".    
| 
| Derek Rigsby
| 
| -----Original Message-----
| From: Adam Shostack [mailto:adam at homeport.org] 
| Sent: Thursday, September 04, 2008 12:39 PM
| To: Derek Rigsby
| Cc: 'Michael Hill, CITRMS'; 'Henry Brown'; dataloss at attrition.org
| Subject: Re: [Dataloss] fringe Federal law and ID theft prevention
| 
| Hi Derek,
| 
| Do you have any evidence for the claim that new employees are most
| likely to steal information?  The ACFE (A'ssn Certified Fraud
| Examners) report usually points to longtime employees as the
| most likely to steal money.  
| 
| 
| Adam
| 
| On Thu, Sep 04, 2008 at 12:16:53PM -0600, Derek Rigsby wrote:
| | Training new employees is important.  They are a strange breed; not just
| your
| | first line of defense against fraud but they are also the most likely
| person to
| | steal the information that they have legitimate access to.  Too often good
| | employees see problems and potential holes in their organizations
| information
| | security policy but do not know how or if they should bring them up to
| senior
| | management.  Education is necessary to combat fraud and identity theft but
| any
| | company will need the buy in from senior management for any policy to be
| | effective.  The Red Flag Rule states that the policy must be administered
| by a
| | board of directors, or in the case of smaller entities that may not have a
| | board of directors, a member of senior management.  Together proper
| education
| | of all employees and senior management driving the operational and
| cultural
| | changes necessary to implement a formal red flag policy is a step in the
| right
| | direction.
| | 
| |  
| | 
| | What is equally important and something I did not notice in the referenced
| | document is the vendor integrity requirement of the law.   A covered
| entity
| | must ensure not only its own compliance, but also must consider the
| information
| | security posture of any vendor, supplier or third party provider with whom
| it
| | exchanges sensitive data or whom has access to sensitive data.  All too
| often
| | we hear about a loss of data where a third party vendor mishandled a
| consumer?s
| | PII.  It is apparent in today?s world that organizations need to train
| their
| | employees regularly and have senior management coordinate the cultural and
| | operational changes but it is equally important to know that vendors and
| | suppliers are doing the same.  If your organization does everything
| properly
| | and one vendor or supplier does not share the same kind of reverence for
| | protecting PII your company is still at risk.    
| | 
| |  
| | 
| | Derek Rigsby
| | 
| | Vice President
| | 
| | Product Development
| | 
| | idBUSINESS / idCURE
| | 
| | Denver, Colorado
| | 
| | 720.278.0756 - Mobile
| | 
| | Derek.Rigsby at idCURE.com 
| | 
| |  
| | 
| |  
| | 
| 
|

More information about the Dataloss mailing list