July VA Laptop Theft Was an Inside Job: Another Example of the Insider Threat
This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information...going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information. You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.
I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.
I've had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on. I believe that, even with the majority of states having breach notification laws, most incidents still never get reported. If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.
In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation...not enough pay...not enough respect...no promotion...no recognition...no perceived importance or appreciation...
Information security and privacy incidents so often result from the actions of trusted insiders...information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities. Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.
Technorati Tags
information security
IT compliance
policies and procedures
insider threat
laptop theft
patient privacy
awareness and training
privacy
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
A machine housing critical documents must be protected regardless of who is handling the files.
Beyond that, I completely agree with you that people need to recognize that security software, while it is crucial, won't do ALL the work to safeguard sensitive data. Companies need to invest time to educate employees (and contractors!) on the latest threats and solutions (especially with something as rampant as laptop theft http://www.essentialsecurity.com/news.htm?id=41 ), as well as focus on keeping a satisfied and RELIABLE personnel.
Posted by: Mila | September 20, 2006 2:44 PM