Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Privacy experts vexed over bank's missing data mishap

From: David Farber <dave () farber net>
Date: Fri, 04 Mar 2005 14:55:13 -0500

------ Forwarded Message
From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: Fri, 04 Mar 2005 11:39:09 -0800
To: <dave () farber net>
Subject: Re: [IP] Privacy experts vexed over bank's missing data mishap

At 11:10 AM 3/4/2005, David Farber wrote:

According to David Farber, a professor of computer science and public policy
at Carnegie Mellon University, it is not uncommon for organizations to ship
unencrypted tapes and assume they are safe.

"You would think people would learn," said Farber, an outspoken privacy
advocate. "It is such an easy thing to encrypt them. Before you write the
tape, you encrypt the data. When you get to the other end, you unscramble
it. Many of the things you archive, you don't care about. But when it comes
to personal information, encryption is important. Tapes could be lost,
misrouted, stolen -- anything."


I would go this one step further, and advocate that the data be protected
from all who have no need to know it, not just when it crosses the
"organizational perimeter."  When I was IT Security Officer for the UC
system, there was something of a philosophical battle on authority... we
had at least one campus IT security administrator who was adament that
system administrators, being responsible for their machines, ought to have
ready access to all *content* on the system... end-to-end encryption, for
example, was anathema, as that rendered traffic opaque to her.  But she
doesn't need to know most of what's on the network to do her job, and
exposing end-user information (whether financial records, per the BofA
case, PHI, per HIPAA, or just plain old private e-mail and documents) to
administrators without a need to know is folly.

And given the degree to which functionality is outsourced, I think one
might also be hard-pressed to define the organizational perimeter any
more.  Several UC problems of late, e.g., the medical records case where an
outside provider subcontracted offshore, and that subcontractor further
subcontracted to someone they didn't pay; or the case where a non-UC on a
UC network, using State-provided data, was compromised by a worm, point to
an increasing messiness of custody, ownership and responsibility.  Lock
things down as a default, and only permit what needs to be allowed to only
those who need it.

Ross



-----

Ross Stapleton-Gray, Ph.D., CISSP
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com




------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: