Re: Guide puts a price tag on security breaches

["Sasha Romanosky" <sromanos () andrew cmu edu>]

FYI, 

While nicely packaged, I don't see any new information here, esp. regarding
costs of breaches (they just cite ponemon).

> -----Original Message-----
> From: dataloss-discuss-bounces () datalossdb org 
> [mailto:dataloss-discuss-bounces () datalossdb org] On Behalf Of 
> Jake Kouns
> Sent: Sunday, April 04, 2010 8:43 PM
> To: dataloss-discuss () datalossdb org; dataloss () datalossdb org
> Subject: [Dataloss-discuss] Guide puts a price tag on 
> security breaches
>
> http://www.nextgov.com/nextgov/ng_20100331_6223.php
>
> BY ALIYA STERNSTEIN 03/31/2010
>
> Public and private sector chief financial officers should 
> develop a budget that calculates the gross financial risk a 
> security breach could pose to their organization, according 
> to a new report from a U.S. standards body and a security 
> trade association.
>
> The 76-page guide comes in response to a 60-day White House 
> review last year of the nation's cybersecurity infrastructure 
> that found quantifying the value of protection motivates 
> organizations to address vulnerabilities. The document -- 
> written by the American National Standards Institute and the 
> Internet Security Alliance, a nonprofit electronic industry 
> group that is affiliated with Carnegie Mellon University -- 
> assigns dollar figures to information losses and advises CFOs 
> on the financial management of cyber risk.
>
> The instructions apply both to federal and corporate CFOs, 
> said Karen Hughes, ANSI's director of homeland security standards.
>
> "The overarching message this document puts forward is that 
> the single biggest threat to cybersecurity is 
> misunderstanding," she said. "CFOs from the public and 
> private sectors alike must look at cybersecurity as an 
> enterprise- [and] agency-wide issue and not just an IT issue, 
> to ultimately reduce vulnerabilities to cyberattacks and 
> their financial implications."
>
> The handbook is based on the premise that companies today, 
> most of which depend on the Internet to survive, have 
> relegated data security to an isolated, and often underfunded, unit.
>
> The publication estimates a data breach of 10,000 records 
> containing personal identification information would cost 
> about $1.6 million, assuming the company carried breach 
> insurance with an 80 percent coverage of direct costs. That 
> sum includes direct expenses for investigations and 
> forensics, consulting services, notification of affected 
> individuals, public relations, legal defense, and credit and 
> identity monitoring -- as well as the indirect cost of lost business.
> The handbook cites several analytical models to help chiefs 
> assess costs and benefits.
>
> [..]
> _______________________________________________
> Dataloss-discuss Mailing List 
> (dataloss-discuss () datalossdb org) Archived at 
> http://seclists.org/dataloss/
>
> Get business, compliance, IT and security staff on the same 
> page with CREDANT Technologies: The Shortcut Guide to 
> Understanding Data Protection from Four Critical 
> Perspectives. The eBook begins with considerations important 
> to executives and business leaders.
> http://www.credant.com/campaigns/ebook-chpt-one-web.php

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php