Re: University of MD mails 24000 SSN on front of envelope

["Kyle Davis" <Kyle.Davis () apollogrp edu>]

I'm rather new here, but thought I'd toss in my $0.02

I agree with much of what you've all stated regarding lack of education
but, having SSN so available to a person that does a mail merge for
envelopes seems silly to me.  There really does need to be better lock
down on some data (SSN being one of the top ones).  Is this kind of
thing still going to happen in the future even after locking down the
data better? You betcha it will happen, but at least there will be less
occurrences of it. And if it does happen, there will be a better feed
back program in place to help with situations like this in the future.

Also, Michael hit the nail on the head when he stated "periodic
training".  A single training event is NOT enough for most of the work
force out there.  They need to be hit with training on this topic at
least twice a year, if not more.  

Kyle R. Davis, Security Analyst
Apollo Group

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Arshad Noor
Sent: Wednesday, July 23, 2008 9:47 AM
To: Michael Hill, CITRMS
Cc: dataloss () attrition org
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of
envelope

Couldn't agree with you more, Michael.  In fact, the lack of training
of involved personnel, and the lack of a culture that encourages "risk
detection and management" is probably the single biggest weakness in
most IT environments today.  There is far too much trust placed in
technology and not enough in the ability and training of humans to
address security risks.  While I would like to say that companies lose
as a result of this myopia, in the long-term  we consumers wind up
paying for those losses, unfortunately.

Arshad Noor
StrongAuth, Inc.

Michael Hill, CITRMS wrote:
> Lack of education and training given to employees, contractors and
service 
> providers to help spot security vulnerabilities.  Periodic training 
> emphasizes the importance you place on meaningful data security
practices. 
> A well-trained workforce is just as important defense against identity
theft 
> and data breaches as are physical and electronic security.
>
> In this case, I cant believe nobody in the whole process did not spot
the 
> SSN or at least question it when seeing a 9 digit number.  Training 
> certainly could have uncovered this, though we will never know.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message is private and confidential. If you have received it in error, please notify the sender and remove it from 
your system.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml