Delete Data To Delete Risk

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.darkreading.com/database-security/167901020/security/news/240000521/delete-data-to-delete-risk.html

By Ericka Chickowski
Contributing Writer
Dark Reading
May 16, 2012

Earlier this month, a Missouri state senator led a filibuster to block the 
vote on the creation of a new prescription-tracking database within the 
state -- on the grounds that should a breach occur to expose this 
database, it would expose embarrassing information about citizens. Though 
extreme, the event offers good evidence that awareness is growing both in 
the public and private sector that one of the best ways to protect 
sensitive and personally identifiable information (PII) from a breach is 
to eliminate its existence.

"Rule No. 1 in data-breach prevention is that they can't steal it if you 
don't have it," says Alan Brill, senior managing director of Kroll 
Advisory Solutions. "It would be a lot better if people remembered that 
one."

Obviously, protected identifiable information and other sensitive 
information fuels enterprise business today. And then there are certain 
classes of data that are required to be kept because of litigation or to 
maintain a legal hold for discovery issues, Brill explains. But beyond 
that, he believes organizations need to do a better job probing the 
necessity of retaining data -- particularly PII -- and making every effort 
to limit its stay on company databases.

"You have to start asking, 'What's the value of the data? What am I doing 
with it? Does it represent positive value? And who wants me to keep it?'" 
Brill says.

[...]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.