[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] more on Privacy experts vexed over bank's missing data mishap
------ Forwarded Message From: Ross Stapleton-Gray <ross@stapleton-gray.com> Date: Fri, 04 Mar 2005 11:39:09 -0800 To: <dave@farber.net> Subject: Re: [IP] Privacy experts vexed over bank's missing data mishap At 11:10 AM 3/4/2005, David Farber wrote: >According to David Farber, a professor of computer science and public policy >at Carnegie Mellon University, it is not uncommon for organizations to ship >unencrypted tapes and assume they are safe. > >"You would think people would learn," said Farber, an outspoken privacy >advocate. "It is such an easy thing to encrypt them. Before you write the >tape, you encrypt the data. When you get to the other end, you unscramble >it. Many of the things you archive, you don't care about. But when it comes >to personal information, encryption is important. Tapes could be lost, >misrouted, stolen -- anything." I would go this one step further, and advocate that the data be protected from all who have no need to know it, not just when it crosses the "organizational perimeter." When I was IT Security Officer for the UC system, there was something of a philosophical battle on authority... we had at least one campus IT security administrator who was adament that system administrators, being responsible for their machines, ought to have ready access to all *content* on the system... end-to-end encryption, for example, was anathema, as that rendered traffic opaque to her. But she doesn't need to know most of what's on the network to do her job, and exposing end-user information (whether financial records, per the BofA case, PHI, per HIPAA, or just plain old private e-mail and documents) to administrators without a need to know is folly. And given the degree to which functionality is outsourced, I think one might also be hard-pressed to define the organizational perimeter any more. Several UC problems of late, e.g., the medical records case where an outside provider subcontracted offshore, and that subcontractor further subcontracted to someone they didn't pay; or the case where a non-UC on a UC network, using State-provided data, was compromised by a worm, point to an increasing messiness of custody, ownership and responsibility. Lock things down as a default, and only permit what needs to be allowed to only those who need it. Ross ----- Ross Stapleton-Gray, Ph.D., CISSP Stapleton-Gray & Associates, Inc. http://www.stapleton-gray.com ------ End of Forwarded Message ------------------------------------- To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC