Delete Data To Delete Risk

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.darkreading.com/database-security/167901020/security/news/240000521/delete-data-to-delete-risk.html

By Ericka Chickowski
Contributing Writer
Dark Reading
May 16, 2012

Earlier this month, a Missouri state senator led a filibuster to block the vote 
on the creation of a new prescription-tracking database within the state -- on 
the grounds that should a breach occur to expose this database, it would expose 
embarrassing information about citizens. Though extreme, the event offers good 
evidence that awareness is growing both in the public and private sector that 
one of the best ways to protect sensitive and personally identifiable 
information (PII) from a breach is to eliminate its existence.

"Rule No. 1 in data-breach prevention is that they can't steal it if you don't 
have it," says Alan Brill, senior managing director of Kroll Advisory 
Solutions. "It would be a lot better if people remembered that one."

Obviously, protected identifiable information and other sensitive information 
fuels enterprise business today. And then there are certain classes of data 
that are required to be kept because of litigation or to maintain a legal hold 
for discovery issues, Brill explains. But beyond that, he believes 
organizations need to do a better job probing the necessity of retaining data 
-- particularly PII -- and making every effort to limit its stay on company 
databases.

"You have to start asking, 'What's the value of the data? What am I doing with 
it? Does it represent positive value? And who wants me to keep it?'" Brill 
says.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.