Re: [privacy] Fwd: [Dataloss] (SAIC update) 900, 000 health records possibly compromi sed

["Brian Loe" <knobdy () gmail com>]

On 7/20/07, Dave Paris <dparis () w3works com> wrote:
> I've worked for one of Tricare's competitors.  Nothing new under the
> sun.  These people wouldn't know security if it dropped on their heads
> like an anvil.  Hell, I had to bring my own taps and hardware in because
> I couldn't get a budget for *any* security.  When I walked out, so did
> any sense of monitoring and the hardware to do it.

I've worked for a competitor as well - and while they hadn't yet taken
on any government work/data, they were looking at it (and scared all
to hell about it, via a strong inability to understand what it was).
Truth is, either regulation is mostly just paperwork. If you can make
your paperwork look good and complete you're probably golden - even in
the case of a breach.

Too true, though, that data security doesn't appear to be a major
concern of any of these companies. My previous employer has a guy with
the title of "data security officer" but he works as a project
manager. I met him only once, in a meeting about DITSCAP, and he was
COMPLETELY clueless on anything to do with security or regulatory
compliance. And, as I said, I met him only once even though my team
were the ones driving the security ship (if you want to call it that,
we controlled the firewalls, proxies, etc.).

Since I left that company has sorta "forgotten" that there is a syslog
server on the network - having disabled the alerts it sent out there's
not much to remind them of it either. The monitoring software I can
only hope they're still using...
_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy