Re: fringe Federal law and ID theft prevention

[Adam Shostack <adam () homeport org>]

You're welcome!  No argument that training is important-given the FTC
requirements.  At the same time, I'm curious--what do such programs
entail?  Do programs aspire to anything beyond "ensure we're
training?" How are organizations testing their effectiveness?

Adam

On Thu, Sep 04, 2008 at 01:00:31PM -0600, Derek Rigsby wrote:
| Adam,
| 
| Thanks for catching that misstep in my comments.  My intention was to say
| "Training ALL employees on a regular basis is important not just new
| employees as they are hired".    
| 
| Derek Rigsby
| 
| -----Original Message-----
| From: Adam Shostack [mailto:adam () homeport org] 
| Sent: Thursday, September 04, 2008 12:39 PM
| To: Derek Rigsby
| Cc: 'Michael Hill, CITRMS'; 'Henry Brown'; dataloss () attrition org
| Subject: Re: [Dataloss] fringe Federal law and ID theft prevention
| 
| Hi Derek,
| 
| Do you have any evidence for the claim that new employees are most
| likely to steal information?  The ACFE (A'ssn Certified Fraud
| Examners) report usually points to longtime employees as the
| most likely to steal money.  
| 
| 
| Adam
| 
| On Thu, Sep 04, 2008 at 12:16:53PM -0600, Derek Rigsby wrote:
| | Training new employees is important.  They are a strange breed; not just
| your
| | first line of defense against fraud but they are also the most likely
| person to
| | steal the information that they have legitimate access to.  Too often good
| | employees see problems and potential holes in their organizations
| information
| | security policy but do not know how or if they should bring them up to
| senior
| | management.  Education is necessary to combat fraud and identity theft but
| any
| | company will need the buy in from senior management for any policy to be
| | effective.  The Red Flag Rule states that the policy must be administered
| by a
| | board of directors, or in the case of smaller entities that may not have a
| | board of directors, a member of senior management.  Together proper
| education
| | of all employees and senior management driving the operational and
| cultural
| | changes necessary to implement a formal red flag policy is a step in the
| right
| | direction.
| | 
| |  
| | 
| | What is equally important and something I did not notice in the referenced
| | document is the vendor integrity requirement of the law.   A covered
| entity
| | must ensure not only its own compliance, but also must consider the
| information
| | security posture of any vendor, supplier or third party provider with whom
| it
| | exchanges sensitive data or whom has access to sensitive data.  All too
| often
| | we hear about a loss of data where a third party vendor mishandled a
| consumer?s
| | PII.  It is apparent in today?s world that organizations need to train
| their
| | employees regularly and have senior management coordinate the cultural and
| | operational changes but it is equally important to know that vendors and
| | suppliers are doing the same.  If your organization does everything
| properly
| | and one vendor or supplier does not share the same kind of reverence for
| | protecting PII your company is still at risk.    
| | 
| |  
| | 
| | Derek Rigsby
| | 
| | Vice President
| | 
| | Product Development
| | 
| | idBUSINESS / idCURE
| | 
| | Denver, Colorado
| | 
| | 720.278.0756 - Mobile
| | 
| | Derek.Rigsby () idCURE com 
| | 
| |  
| | 
| |  
| | 
| 
| 

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml