- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
Compare the confusion of implementing regulations, such as the Sarbanes-Oxley Act, with the clear results of breach disclosure accountability legislation, such as California Senate Bill 13. AOL, with its recent search data debacle, is the latest organization to have its data breach paraded across front-page headlines. Before AOL came the Department of Veterans Affairs and CardSystems.
AOL's desire to share search information with researchers was well intentioned but unsound. Personal information for some users was disclosed and many others may be at risk. A CTO and two other AOL staff members resigned or were forced to leave. While parent company Time Warner's stock registered barely a blip in this case, the career-limiting possibilities of any privacy breach are apparent to IT managers everywhere.
The VA went through a harrowing period while a nation feared those who had worked, fought and sacrificed for it would be subjected to identity theft or worse. In the end, the VA could offer plausible assurances that the data, though stolen, was never compromised. Yet as a result of disclosure and accountability, policies are changing to prevent sensitive data from wandering away in laptops to suburban neighborhoods.
CardSystems was forced to disclose a massive breach of credit card data caused not only by failure to comply with security policy but also by violation of contract governing the use of the data. CardSystems became a corporate pariah, fell into bankruptcy and died. Executives around the world took notice.
Breach disclosure focuses on accountability for results, not the audit process. When data protection joins sales and profit as part of a balanced scorecard for corporate objectives, executives have incentives to reduce risk.
On the other hand, SOX - with its stentorian demands for auditor certifications - has produced mixed results. The annual audit has become a security theater of IT practitioners and auditors poring through prescriptive checklists and documents. One can find silver linings of risk management and process automation in SOX, but only after peeling away reams of documentation and audits.
There are useful lessons from these experiences for public policy and internal security programs. The threat of having to disclose information security failures can pose enough reputation risk and legal jeopardy to encourage proactive change.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment