Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« The Basics of Digital Forensics | Main | TJX Data Breach Fallout - Banks Cleaning Up the Mess »

Can Standards Like ITIL and ISO 27001 Help Prevent Yet Another Massive Data Breach?

It was almost two years ago when the ChoicePoint breach was made public. Identity thieves established over 160,000 bogus accounts using data stolen from the Georgia-based data aggregator. The company ended up paying $10 million in fines to the FTC along with $5 million for consumer redress. Has the overall state of consumer financial information security improved?

It may have. Sure we hear about cases like the TJX breach that may have exposed 40 million accounts and the Veterans Administration laptop theft that could have exposed information 28 million veterans and their spouses, but what about the success stories? There generally aren’t any, it just isn’t news worthy when security works. Have you ever seen a newspaper story about a bank that wasn’t robbed?

What reason do I have to argue that security has gotten better? Mostly, it is improved awareness on the part of IT professionals and the availability of better tools and practices. Yes, cybercrime is on the rise, malware and phishing attacks are more targeted, and the highly touted security of Vista is widely questioned. What we do have on our side is security practices.

Hundreds of years ago before their were cures for contagious diseases, hard learned practical measures (aka “best practices”) like quarantines lessened the potential impact of these diseases. We’re in a similar situation. We can’t “cure” cybercrime and hacking but we can contain it by starting with best practices like ITIL, ISO 27001 and COBIT.

None of these is perfect and none covers all aspects of security but they are some of the best tools in our arsenal. Sure, incidents like TJX will still occur, but at least we can reduce the likelihood of them happening.

My guess is, any organization that seriously addresses security will be working on all the areas detailed in these standards. What do you think, are these measures worth the trouble or is it better to formulate custom security strategies from scratch?

Tags:    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on February 1, 2007 9:59 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/209

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net