BreachExchange mailing list archives
Re: Knock, knock. Who's there? No one.
From: "Al Mac Wow" <macwheel99 () wowway com>
Date: Tue, 26 Feb 2013 14:13:14 -0600
Instead of 48 hours warning, make it 2 business days. This is because it is quite common for companies decision makers to become incommunicado, from their own employees, during weekends and holidays, where the people left behind are not authorized to respond to anything outside normal business activities. Not all institutions have a public web site, especially smaller companies, whose sales are not to consumers, but within an industry. Most of those institutions have a payroll system, where they can easily have over 50 employees personal identification info at risk of breach. Some institutions do not have a responsible person, as defined by this proposed law. They may have someone, who wears many hats, one of which is cyber security, perhaps once a month attend to that detail. They may rely upon outside consultants, not on call duty all the time, but only called when top management thinks there is a problem worthy of calling them. Companies can setup e-mail systems, with various names of "responsible parties" in charge of various duties, which are forwarded to the current real people in those jobs, then with turn-over, and not much in the way of a computer department, those "responsible parties" e-mail addresses can become no-one home. There needs to be an alternative way for institutions, without web sites, nor persons with cyber security responsibilities, to accept breach reports. I suggest: fax machine; snail mail address; company lawyer firm contact info; company auditors identified. How can an institution have a breach if they do not have a web site? They can have computers connected to the Internet, via e-mail, FTP, VPN, WiFi, many other communication protocols. They can have dumpsters open to dumpster diving. They can have weaknesses in physical security. They can have auditors, or other 3rd party access to their data, which have break downs in security. Many web sites are not intended to accept comments. Some government web sites are like that. They exist only to broadcast info to the public. I tried to post the above as comments to http://www.databreaches.net/?p=26909 But my connection timed out, several times. Al Mac (WOW) = Alister William Macintyre
<<attachment: winmail.dat>>
_______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Knock, knock. Who's there? No one. Jake Kouns (Feb 25)
- Re: Knock, knock. Who's there? No one. Al Mac Wow (Feb 25)
- <Possible follow-ups>
- Re: Knock, knock. Who's there? No one. Dissent (Feb 26)
- Re: Knock, knock. Who's there? No one. Al Mac Wow (Feb 27)