Re: CTS: Thief Steals Tax Records

[lyger <lyger () attrition org>]

Since I almost never get to jump into these discussions, please allow me 
to retort. 

I find a couple of the comments below to be somewhat stereotypical.  "IT 
guys" are generally considered to be "geeks" and nothing more, even if 
they have years of experience in fields that have to deal with regulatory 
compliance issues on a daily basis.  Some "IT guys" are absolutely capable 
of making business decisions, especially when the decision in question 
concerns protecting their company from bad choices made by the "business 
leaders" who fail to understand the basics of risk assessment and risk 
management, specifically those that deal with the loss of client, 
customer, or employee information.  

While it may be true that "a large percentage of IT guys" aren't as versed 
in regulatory compliance as their "business leader" counterparts, the same 
can be said for the "business leaders" who aren't concerned with the 
impact a data breach can have on their company and fail to enable their 
"IT guys" to provide valuable input into the decision-making process.

Just my opinion.

Lyger 


On Sun, 4 Feb 2007, James Childers wrote:

": " An absolute recipe for disaster is when you let the I.T. "guys" make
": " business decisions.
": " 
": " Thanks for the info.
": " 
": " James Childers
": " http://www.iqbio.com 
": " http://www.clipbio.com 
": " 
": " -----Original Message-----
": " From: George Toft [mailto:george () myitaz com] 
": " Sent: Sunday, February 04, 2007 1:45 PM
": " To: James Childers
": " Cc: blitz; dataloss () attrition org
": " Subject: Re: [Dataloss] CTS: Thief Steals Tax Records
": " 
": " The FTC clearly calls out tax preparers as being required to comply with
": " 
": " GLBA (http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm 3rd 
": " paragraph).  However, in September, 2006, CPA's were able to become 
": " exempt from the privacy rule of GLBA 
": " (http://www.icpas.org/icpas/ei/gbarticle.asp).  They are still required 
": " to comply with the Security Rule, which nobody seems to know about.
": " 
": " CPA's by nature are very tight-fisted with their money, and they see 
": " this as yet another expense that has no benefit.  "If it's not broke, 
": " why should I fix it?"
": " 
": " This list's members are very proactive and forward-thinking.  Securing 
": " information is obvious to us, but eludes others, so they delegate the 
": " task to "the IT guy" and it's his problem because "he understands that 
": " stuff."  Problem is, a large percentage of IT Guys I've spoken with are 
": " clueless about regulatory compliance and the finer art of information 
": " security.
": " 
": " George Toft, CISSP, MSIS
": " My IT Department
": " www.myITaz.com
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 562 incidents over 7 years.