[IP] more on Privacy experts vexed over bank's missing data mishap

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Privacy experts vexed over bank's missing data mishap
From: David Farber <dave@xxxxxxxxxx>
Date: Fri, 04 Mar 2005 14:55:13 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx
User-agent: Microsoft-Entourage/11.1.0.040913

------ Forwarded Message
From: Ross Stapleton-Gray <ross@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Mar 2005 11:39:09 -0800
To: <dave@xxxxxxxxxx>
Subject: Re: [IP] Privacy experts vexed over bank's missing data mishap

At 11:10 AM 3/4/2005, David Farber wrote:
>According to David Farber, a professor of computer science and public policy
>at Carnegie Mellon University, it is not uncommon for organizations to ship
>unencrypted tapes and assume they are safe.
>
>"You would think people would learn," said Farber, an outspoken privacy
>advocate. "It is such an easy thing to encrypt them. Before you write the
>tape, you encrypt the data. When you get to the other end, you unscramble
>it. Many of the things you archive, you don't care about. But when it comes
>to personal information, encryption is important. Tapes could be lost,
>misrouted, stolen -- anything."

I would go this one step further, and advocate that the data be protected
from all who have no need to know it, not just when it crosses the
"organizational perimeter."  When I was IT Security Officer for the UC
system, there was something of a philosophical battle on authority... we
had at least one campus IT security administrator who was adament that
system administrators, being responsible for their machines, ought to have
ready access to all *content* on the system... end-to-end encryption, for
example, was anathema, as that rendered traffic opaque to her.  But she
doesn't need to know most of what's on the network to do her job, and
exposing end-user information (whether financial records, per the BofA
case, PHI, per HIPAA, or just plain old private e-mail and documents) to
administrators without a need to know is folly.

And given the degree to which functionality is outsourced, I think one
might also be hard-pressed to define the organizational perimeter any
more.  Several UC problems of late, e.g., the medical records case where an
outside provider subcontracted offshore, and that subcontractor further
subcontracted to someone they didn't pay; or the case where a non-UC on a
UC network, using State-provided data, was compromised by a worm, point to
an increasing messiness of custody, ownership and responsibility.  Lock
things down as a default, and only permit what needs to be allowed to only
those who need it.

Ross

-----

Ross Stapleton-Gray, Ph.D., CISSP
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com

------ End of Forwarded Message

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Domain Owners Lose Privacy
Next by Date: [IP] Choicepoint
Previous by thread: [IP] more on Domain Owners Lose Privacy
Next by thread: [IP] Choicepoint
Index(es):
- Date
- Thread