Re: hard drive destruction

[Al Mac <macwheel99 () sigecom net>]

Remember that SOX only applies to companies doing business in USA that are 
traded on the stock market.  Many large companies are privately held.

Looking at recent large breaches
Ernst & Young  ... multiple breaches with records on different companies
* BP employees
* Cisco employees
* Hotels.com
* IBM employees
* Nokia employees
* Sun Microsystems employees

I think they are based in Britain, so different laws may be applicable than 
those in USA
Hummingbird in Canada breached 1,300,000 US students

these are public companies in USA
American Insurance Group  ... 930,000
Automated Data Processing .. hundreds of thousands
IBM  ... 17,781,462
Marsh Insurance ... 540,000 .

I do not believe the American Red Cross is
several incidents, big one = 1 million people
or American Institute of Certified Public Accountants  (330,000)
or Vassar Brothers Medical Center (257,800)

It might be of interest to know what proportion of breaches occurred at 
institutions not covered by SOX CFR GLBA HIPPA  etc.  In other words the 
only rules that applied to them were the breach disclosure laws, and good 
governance without any mandate for it..

Alphabet soup of some data security standards
http://www.unbeatenpathintl.com/ITstandards/source/1.html

I think a large proportion of breaches overall have been at Colleges and 
Universities. I don't think any of them are covered by SOX.  However, the 
number of victims per academia incident generally smaller compared to 
incidents by Government and Financial Institutions ... I think the banks 
are heavily regulated, such as by GLBA, bank regulators, and the credit 
card standards, and most of them public companies.

There's also the question of what industries appear to have avoided having 
any significant breaches, and the numbers of non-victims (because no 
breaches) involved there.

> This whole security and accountability issue adds a new level of
> complexity to outsourcing and offshoring IT capabilities.  Data breaches
> aside, when SoX moves from 404 to 409, I cannot help but wonder how some
> business entities will demonstrate compliance, when all of their
> physical data handling occurs outside of their physical control.  It is
> deceptively easy to comply with security requirements on paper.
>
> Of course The Information Security ISO 17799 and ISO 27001 will add
> additional levels of complexity.  The combination of executive
> accountability (in terms of actually going to jail) for financial data,
> and the vulnerability of personal data (often stored on the same
> systems) will make the next 5 years.... Interesting.
>
> Andy Dail
> Sunoco PCI Project Manager


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 304 incidents over 6 years.