Here is a reply by "James Ritchie, CISA, QSA" to a post by me to DATALOSS
discussion group. I suggest that my friends:
1. Visit the link he provided
http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html
2. Scroll down to the "bullet" labeled
* PCI as the standard of care for a negligent security suit
Note in the 3rd paragraph of that section that there is a "here" link to
expert analysis of what went wrong in the TXJ case. Follow that link &
read it.
3. Review the rest of the context, including this thread in DATALOSS
Archives
<
http://attrition.org/pipermail/dataloss>
4. Join the discussion.
Summary of what went wrong at TJX
* Their credit volume made them a type-1 merchant required to meet TWELVE
standards of PCI, but they only implemented THREE of them
* They stored track 2 data in violation of PCI rules ... with this data, a
crook can counterfeit a payment card with a fully functional magnetic
stripe
* Their wireless network was in violation of applicable standards
* Their computer network did not have proper firewalls to protect
sensitive data
* Their password rules were a farce
* They failed to install patches critical to protecting sensitive data
* They failed to maintain adequate intrusion detection systems
Here is an article that is very relevant to the concepts that have been
talked about under this thread.A This is from an attorney and dealing
with PCI contractual compliance.A Once you finish readingA the
document, it would not be a far stretch for a civil suit on a data
breachA (not justA PCI related) but using the require controls of the
DSS as a standard of due care. All company executives, time to start
having your legal staff involved with each any every piece of compliance
that your company faces.A Here is the link.
http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html
A
Al Mac Wheel wrote:
There will never be one perfect solution for all enterprises and
government agencies.
The risks are different depending on:
* The nature of the data and software that needs to be protected, from
what kinds of threats, which vary with the industry.
* The computer operating system, computer languages supported, access
methods.
* Just as a lot of software was designed for a long ago reality, when
the needs were less sophisticated, many buildings have security holes
... false ceilings that a human can travel over, circumventing locked
doors, being the most obvious.
* If a company does not own the building where their offices are
located, the landlord has keys to the place, which may be accessible
to a dishonest employee.A Also there may be other businesses in the
same building, with weaker security.A Crooks break into the weakest
link, then get through the building into their ultimate target.
* In our interconnected world, other enterprises can connect to our
systems ... some of this is mandated by government regulations, some
of it due to how our business functions.A Let's suppose we have given
access to our systems to tech support, consultants, auditors, etc. &
let's suppose that outfit gets penetrated ... can the penetration
extend to all the places they have access to?A We know there are
viruses that target e-banking software, so that if we do electronic
financial transfers ... everyone we do business with can be a weak
link.
However, there can be some standards that cross systems.
Some upgrades require temporary relaxing of some security.A There are
inspections that should be run after all upgrades, to ensure that
certain security standards are once again in place.A They should be
run whether or not the people, doing the upgrades, knowingly relaxed
any standards.
In addition to inspection to see if embezzlement going on, there can
also be inspection to see if people are keying sensitive information
into data areas whose labeling is non-sensitive information.
It is not enough to train people, and pass out policy manuals.A There
has to be a process of testing that the people are following the
rules, such as not to photocopy or fax certain sensitive information,
to have encryption on portable data storage devices that leave company
property, to lock facilities properly every night, promptly report
anything lost or stolen.
Testing software changes is done because we expect that something may
go wrong, so the test data base should not contain sensitive data on
real people, but rather data that is a simulation of the data to be
tested.
I had suggested in my work place ... the IBM OS tracks software and
data usage ... I can show how heavily we use what ... the auditors can
be told what is used to run our business on a regular basis ... they
can designate 2-3 programs, data sets, etc. to be inspected by a
computer auditor who is an expert on our application systems to
produce a report on what this is really doing, how accurate it is, to
be matched with the external auditors statement of how it has been
represented to them by the end users.A Do the two stories match?A
Depending on the results, they see how frequent it is wise to pick
other such samples in future audits.
I had suggested this due to the multiplicity of PC tools on people
personal work stations & end users divorced from internal logic of the
tools, or software designed by co-workers, and the evolving business,
where we are depending on tools designed years ago, for realities that
no longer exist today.
Manny Cho wrote:
I agree with Sanford in that this incident (and all of the other
loss notices that post every day to this site) is indicative of the
fact that the idea of i? 1/2one solutioni? 1/2 or one perfect
product is just not a reality today.A
_______________________________________________
Dataloss Mailing List
(dataloss@xxxxxxxxxxxxx)
http://attrition.org/dataloss
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
--
James Ritchie
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
Linkedin
http://www.linkedin.com/pub/1/b89/433
Attachments with this email, not explicitly referenced, should not be
opened. Always scan your email and their associated attachments for
viruses prior to opening.
This message and any accompanying documents are confidential and may
contain information covered under the Privacy Act, 5 USC 552(a), the
Health Insurance Portability and Accountability Act (PL 104-191), or the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its
various implementing regulations and must be protected in accordance with
those provisions. Unauthorized disclosure or failure to maintain the
confidentiality of the information may result in civil or criminal
sanctions.
This e-mail is strictly confidential and intended solely for the
addressee. Should you not be the intended addressee you have no right to
any information contained in this e-mail. If you received this message by
mistake you are kindly requested to inform us of this and to destroy the
message.
_______________________________________________
Dataloss Mailing List (dataloss@xxxxxxxxxxxxx)
http://attrition.org/dataloss
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
midrange.com
