BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: REDUCING THE IMPACT OF PII SECURITY BREACHES

From: George Toft <george () myitaz com>
Date: Tue, 18 Jul 2006 14:38:41 -0700
A quick google for the terms:
        information security program GLBA
shows several universities that realize that they ARE financial 
institutions per the Federal Government's definition under the 
Gramm-Leach-Bliley Financial Modernization Act.  The GLBA Security Rule 
has been in effect for over three years now, so those universities that 
are behind the times need to catch up and comply with already existing 
laws.  See 
http://www.google.com/search?num=50&hl=en&lr=&safe=off&q=information+security+program+GLBA&btnG=Search

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


henry ojo wrote:


REDUCING THE IMPACT OF PII SECURITY BREACHES
 
 
The persistent security breaches that occur in so many organisations and 
institutions are no longer big news. What is worrying is that while it 
is expected in financial institutions, as obvious targets for their 
‘monetary rewards’, it is rather unexpected in that about a third of the 
reported security breaches in the U.S. occur in educational institutions.
Obviously the level of protection afforded the information (mainly 
Personal Identifiable Information PII) held by  these educational 
institutions is much less than their financial counterparts, yet the 
data breaches could be just as damaging.
What makes the PII so valuable to fraudsters? Loans, mortgages, credit 
cards, illegal employment could be obtained using this kind of information.
This now rests the burden of responsibility at the feet of organisations 
that use PIIs as the only way to validate the identity of applicants for 
their services.
Fraudsters use this information largely because it is inherently ‘low 
risk’ with huge returns as the risk of being physically present is 
eliminated by organisations relying heavily on e-commerce.
The question is, do the benefits of cost cutting, easing organisation’s 
operations by doing substantial amounts of business online outweigh the 
impact of not providing enough protection to customers PII by not 
streamlining processes and procedures to aid the security of customers 
PII at the risk of legislative/regulatory fines etc.
A suggestion to revert to the stone ages is not being conceived but the 
emphasis on using PIIs for validations, verifications and even in some 
cases authentication by a lot of institutions should be reduced.
Biometrics, token password solutions provide alternative authentication 
mechanisms, which organisations avoid because of costs, but in the long 
term an ROI might justify the investment against legislative/regulatory 
fines, litigation, legal fees and loss of goodwill/reputation.
 


Henry Ojo BSc HISP BS7799 Auditor
www.efortresses.ie
Cell: 00353 874182266
Office:+(0) 7958430094
Fax :+(0) 7092 0950843

------------------------------------------------------------------------
The all-new Yahoo! Mail 
<http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html>
 
goes wherever you go - free your email address from your Internet provider.


------------------------------------------------------------------------

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/
Previous By Date Next
Previous By Thread Next

Current thread: