Re: Preparing for a High-profile Termination

GAO & IGs also do periodic studies of frequency of problems & risks out there.

I found the Credit Card Industry Annual Audit statistics to be most enlightening with respect to what percentage of the financial and retail industry thumb their noses at the security standards. (In some markets, more thumb their nose than do lip service to the standards.) When there is a breach in the news, figuring out what kind of computer system they were using, is next to impossible. Even when there are good standards, enforcement within an enterprise can also be challenging.

Here's link to latest relevant GAO report. Most of these investigations contain references pointing at earlier ones. Highlights usually one page good overview.

Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4.
http://www.gao.gov/cgi-bin/getrpt?GAO-07-737
Highlights - http://www.gao.gov/highlights/d07737high.pdf

Al,

Thanks for your replies and for that link to Attrition.org! After seeing that list of incidents, I think I would fully support a national SB1386-like (California) initiative.

Rob,

Good point about the source code scanning.

As always, I appreciate everyone's feedback. Now, it's time to axe the computers and actually take my two PTO days!

Best regards,

Steven W. Martinson, CISSP, CISM
Sheshunoff Management Services, LP.
Senior Consultant - Technology & Risk Management
2801 Via Fortuna, Suite 600 | Austin, TX 78746
Direct: 281.758.2429 | Mobile: 512.779.2630
e.Mail: smartinson@xxxxxxxxx