Data Security Policies

  • Jim P. (4/8/2014)


    Eric M Russell (4/8/2014)


    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight. For an organization to adopt their own internal security policy and then publicly state their own self compliance is worthless.

    This is the same government that created the IRS, Social Security, the <un>ACA, and the EPA?

    No, thank you.

    And when you say "industry wide" which industry are you talking about. I previously worked for a bank. I am now working for a healthcare SW company. What if my next employers are credit cards or auto manufacturing? What standard other than things like payroll are common?

    Every industry has it's own risks, so each needs a somewhat different set of regulations. I've worked in banking, back in the 1990's before Sarbanes–Oxley. I've also worked federal contracting gigs, and currently in healthcare. Of course there is regulation; there has been significant progress over the past decade, but I honestly don't think enough progress, not to the point that it makes a real difference. By and large, when it comes to data security, corporations do what they are obligated to do. Left to their devices, few would follow best practices like encrypting data or disclosing breaches to the media or affected customers. When it comes to disclosing data breaches to customers, that concept didn't even exist until the requirement was forced upon U.S. corporations by law. There is no way corporations would ever do that were it not for the law.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • jay-h (4/8/2014)


    Eric M Russell (4/8/2014)


    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight.... Building a data warehouse for the purpose of handling credit card numbers and other personal information is conceptually no different than transporting explosive chemicals on a busy interstate highway, if it's not regulated, then there will routinely be spills the public is at risk.

    Highly regulated industries (banking, pharma, etc) have plenty of failures. So, in fact, do government agencies.

    The problem with trying to clamp down tighter and tighter is that as long as there is a leak somewhere, there will be failures. We need to rethink the process EXPECTING occasional failures and minimizing the harm. One approach might be tokenizing data (credit card info etc) so that the actual data is never stored on site, only a token. With proper encryption, the tokens can only work from the system to which they were issued. Store A can use your token only from their authenticated system (Store B's token would be different) for a card purchase, if someone else gets the token it's useless.

    Not a complete solution by any means, but we need to start thinking that information WILL leak, and work to control the damage done.

    Yes, failures do occur, mostly when the rules arn't followed, but that doesn't prove that the rules are useless, it only proves what happens when the rules arn't applied. There is no way that the solution you suggested above would be broadly adopted without government regulation enforcing it. Maybe a handful of large corporations like Microsoft and Google who are security literate and pubic relations conscious would adopt it, but forget about hospitals, online retailers, marketing firms, and social media. First they need guidance about what data security is, and then they need oversight to insure that corporate interests are not put ahead of public safety.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (4/8/2014)


    Every industry has it's own risks, so each needs a somewhat different set of regulations. I've worked in banking, back in the 1990's before Sarbanes–Oxley. I've also worked federal contracting gigs, and currently in healthcare. Of course there is regulation; there has been significant progress over the past decade, but I honestly don't think enough progress, not to the point that it makes a real difference. By and large, when it comes to data security, corporations do what they are obligated to do. Left to their devices, few would follow best practices like encrypting data or disclosing breaches to the media or affected customers. When it comes to disclosing data breaches to customers, that concept didn't even exist until the requirement was forced upon U.S. corporations by law. There is no way corporations would ever do that were it not for the law.

    True. But if you look at the Dodd-Frank it has some banks specifically named as too big to fail. So the smaller banks that try to follow regulations and buy the software that is so expensive that it cuts the smaller bank's profits to nothing. I saw that happen.

    The way the regulations are written by the government -- it is not good for a free market. They are either so overblown they strangle the free markets, or written so loosely that they make no sense. Where if the industry itself is required to come up with the regulation they can be nuanced enough to get a coherent realistic level of what is going on.



    ----------------
    Jim P.

    A little bit of this and a little byte of that can cause bloatware.

  • Personally I'd say the government shouldn't be deeply involved, but they can certainly require disclosure of issues, and perhaps even provide a framework that companies can contribute to with best practices, or even things not to do. Maybe just with maintaining a central set of places, even in partnership with places like SANS or Carnegie Mellon SEI.

    As industries we've done a poor job of sharing information overall, preferring to hide failures problems, or even good practices under the guise of it being "better business" or "competitive advantage" for our organization.

  • Steve Jones - SSC Editor (4/8/2014)


    As industries we've done a poor job of sharing information overall, preferring to hide failures problems, or even good practices under the guise of it being "better business" or "competitive advantage" for our organization.

    s/industries/management

    I don't often meet a DBA who doesn't want to talk about the issues that plague their workplace 😛 I think mandatory reporting laws on data breaches are an awesome idea, though of course, are more targeted at the customers than the technical details of how a hack was done.

    But for example with Target having one led to articles about the other. I hope more companies follow suit.

  • Eric M Russell (4/8/2014)


    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight. For an organization to adopt their own internal security policy and then publicly state their own self compliance is worthless.

    ....

    In the UK the Bank were regulated and there was oversight. The result is that most banks thought that they cold do what they wanted until the regulator told them not to. And of course the regulator couldnt see everything and wasnt expected to. So a lot of poor practice.

    The same with data security. PCI DSS caused a stir and then nothing and the old ways are slipping back in.

  • Yet Another DBA (4/9/2014)


    Eric M Russell (4/8/2014)


    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight. For an organization to adopt their own internal security policy and then publicly state their own self compliance is worthless.

    ....

    In the UK the Bank were regulated and there was oversight. The result is that most banks thought that they cold do what they wanted until the regulator told them not to. And of course the regulator couldnt see everything and wasnt expected to. So a lot of poor practice.

    The same with data security. PCI DSS caused a stir and then nothing and the old ways are slipping back in.

    I don't see how the regulation and oversight have caused poor practices. If a particular organization has the attitude that they won't do anything unless they are told, then they won't do it an unregulated environment either. The goal isn't to eliminate bad security practices, the goal to minimize bad security practices.

    These organizations who have a reckless disregard for data security are the exception, and their days are numbered. Not only are they not too big to fail; they deserve to fail. It's essential that they fail so better organizations can step up and take their place.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 7 posts - 16 through 21 (of 21 total)

You must be logged in to reply to this topic. Login to reply